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Abstract 

We  define  a  pursuit-evasion  game  played  on  a  finite  grid  and  establish  the  speeds  sufficient 
for  a  pursuer  to  detect  all  evaders. 

I.  Introduction 

In  recent  years,  the  US  Department  of  Defense  has  taken  an  ever-growing  interest  in  the  use 
of  unmanned  aerial  vehicles  (UAVs)  to  perform  potentially  dangerous  and  potentially  dull  tasks 
such  as  reconnaissance;  the  current  generation  of  tactical  UAVs,  however,  are  hampered  by  a  field 
of  view  that  has  been  compared  to  a  soda-straw  [1].  We  therefore  define  a  game  of  pursuers  and 
evaders  in  which  the  pursuers  cannot  ascertain  any  evader’s  location  except  when  the  evaders  fall 
within  a  narrow  field  of  view.  In  this  paper  we  establish  the  sufficient  speeds  for  a  single  pursuer 
to  detect  all  evaders  in  a  simple  form  of  the  game.  Establishing  insufficiency  is  outside  the  scope 
of  this  paper. 

In  Section  II  we  formally  define  the  game.  In  Section  III  we  formally  define  a  toy  program¬ 
ming  language  which  we  shall  use  to  express  algorithms  describing  the  pursuer’s  movements.  In 
Section  IV,  we  algorithms  to  provide  proofs  of  existence  of  pursuer-winning  search  patterns  at 
particular  speeds.  Finally,  in  Section  V  we  express  our  conclusions. 

II.  Game  Description 

The  game  is  played  on  a  board  covered  by  a  rectilinear  grid  of  m  columns  and  n  rows.  The 
pursuer’s  objective  is  to  occupy  the  same  grid  cell  as  the  evader  eventually,  whereas  the  object 
for  the  evader  is  to  prevent  colocation  with  the  pursuer  indefinitely.  The  columns  are  numbered 
0  . .  m  —  1  starting  at  the  leftmost  column,  and  the  rows  are  numbered  0  . .  n  —  1  starting  at  the 
bottom  row.  The  pursuer  has  the  advantage  that  it  can  move  s  spaces  per  turn  (where  s  >  1),  but 
the  evader  can  move  only  one  space  per  turn  (Figure  1).  On  the  other  hand,  the  evader  has  the 
advantage  that  it  always  knows  the  pursuer’s  location,  whereas  the  pursuer  is  unable  to  determine 
the  evader’s  location  unless  it  occupies  the  evader’s  cell.  They  take  turns  moving:  in  each  turn,  the 
pursuer  moves  up  to  s  spaces,  then  the  evader  moves  one  space.  Movements  are  from  the  current 
cell  to  an  adjacent  cell.  The  four  basic  variations  revolve  around  the  definition  of  “adjacent”: 
in  all  four  variants,  movement  in  the  four  cardinal  directions  are  legal,  and  the  variations  are 
the  cross-product  of  whether  the  pursuer  can  move  diagonally  and  whether  the  evader  can  move 
diagonally. 

The  restriction  on  the  pursuer’s  knowledge  suggests  that  if  we  wish  to  prove  that  the  evader 
can  be  caught  (and  how  it  can  be  caught!),  then  we  need  to  consider  something  other  than  the 
locations  of  the  players.  In  this  paper  we  shall  consider  the  set  of  locations  the  evader  cannot 
occupy  and  how  that  set  changes.  We  call  this  set  Clear ,  and  its  complement  is  the  set  of  possible 
locations  the  evader  may  occupy.  Consider  Figure  2.  Suppose  it  is  known  in  Figure  2(a)  that  the 
shaded  region  cannot  be  occupied  by  the  evader;  i.e.,  the  evader  must  be  in  some  cell  in  the 
unshaded  region.  In  Figure  2(b),  the  pursuer  makes  the  same  move  as  in  Figure  1(a).  Observe 
that  the  pursuer,  having  passed  through  some  cells,  either  encountered  the  evader  in  one  of  those 
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(a)  Pursuer’s  turn 


(b)  Evader’s  turn 


Fig.  1.  Examples  of  movements  by  the  pursuer  and  the  evader.  Solid  circle  is  the  pursuer;  hollow  circle  is  the  evader. 
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(a)  Before  pur¬ 
suer  moves 


(b)  Pursuer’s  turn 


(c)  Evader’s  turn 


Fig.  2.  Examples  of  changes  in  the  possible  locations  for  the  evader.  Evader  is  known  to  be  in  unshaded  region. 


cells  (hence,  won  the  game)  or  established  that  the  evader  cannot  occupy  those  cells  —  the  cells 
the  pursuer  visited  are  added  to  the  set  Clear. 

Now  it  is  the  evader’s  turn  to  move.  Since  the  pursuer  does  not  know  where  the  evader  is 
located  (other  than  that  the  evader  must  be  located  in  the  unshaded  region),  the  set  Clear  must  be 
updated  by  all  possible  moves.  If  the  evader  is  located  in  a  cell  that  is  not  adjacent  to  a  shaded 
cell,  then  it  cannot  move  into  the  shaded  region;  such  possible  moves  will  not  affect  the  set. 

If  a  shaded  cell  is  adjacent  only  to  other  shaded  cells,  then  it  is  not  possible  for  the  evader  to 
move  into  that  cell,  and  that  cell  remains  in  Clear.  But,  if  a  shaded  cell  and  an  unshaded  cell  are 
adjacent,  then  the  possibility  exists  that  the  evader  is  in  the  unshaded  cell,  and  the  possibility  also 
exists  that  the  pursuer  moves  from  the  unshaded  cell  into  the  shaded  cell;  thus,  that  shaded  cell 
is  removed  from  Clear.  The  one  exception  is  that  the  evader  cannot  move  into  the  cell  occupied 
by  the  pursuer,  or  the  pursuer  would  know  the  evader’s  location  and  would  win  the  game.  In  this 
scenario,  the  aggregate  of  all  the  ways  in  which  the  evader  might  move  increases  the  size  of  the 
region  the  evader  may  occupy  (Figure  2(c))  and  reduces  the  cardinality  of  Clear. 

III.  Language  Definition 

A.  Pseuocode  Language 

The  algorithms  presented  in  this  paper  use  a  statically-scoped,  pass-by-value,  Logo-like  language 
in  which  translations  have  a  duration.  Movement  of  the  pursuer  is  specified  by  the  following 
commands: 

move  dir  spaces  Move  the  pursuer  a  distance  of  spaces  in  the  specified  direction  dir  £ 

{n,  ne,  e,  se,  s,  sw,  w,  nw} 

wait  duration  Do  not  move  the  pursuer  for  a  duration  equal  to  that  of  move  d  duration 

evader-move  Do  not  move  the  pursuer  for  the  remainder  of  its  turn  (equivalent  to  wait  duration, 

where  duration  is  the  number  of  moves  left  in  the  pursuer’s  turn),  and  then 
do  nothing  for  a  duration  equal  to  that  of  wait  1  while  the  evader  makes  its 


move 


m  Instantiation  variable:  the  number  of  columns  on  the  game  board,  to  >  2 

n  Instantiation  variable:  the  number  of  rows  on  the  game  board,  n  >  2 

speed  Instantiation  variable:  the  maximum  number  of  spaces  the  pursuer  may  move  between 
moves  by  the  evader,  speed  >  1 

row  The  row  on  the  game  board  occupied  by  the  pursuer.  With  col,  uniquely  identifies  the 
pursuer’s  location.  0  <  row  <  n,  roWinu  =  0. 

col  The  column  on  the  game  board  occupied  by  the  pursuer.  With  row,  uniquely  identifies 
the  pursuer’s  location.  0  <  col  <  to,  collnlt  =  0 
time  The  number  of  discrete  units  of  time  elapsed  since  the  start  of  the  game,  time  > 
0,  timeinit  —  0. 

\p  The  set  of  all  cells  on  the  game  board.  |  \p\  =  to  x  n 

Clear  The  set  of  cleared  cells,  as  defined  in  Section  III-B.  Clear  C  \p.  Clear inu  =  {(0,0)} 
cycle  Constant  value:  the  number  of  discrete  clock  ticks  between  the  start  of  two  consecutive 
rounds  of  movent,  cycle  =  speed  +1 

Fig.  3.  Symbols  used  in  Sections  III  and  IV 


More  formally,  using  integer  (non-modulus)  arithmetic. 


dir  G  {sw,  s,  Se} 
dir  G  {w,  e} 
dir  G  {nw,n,ne} 
dir  G  {nw,w,  sw} 
dir  G  {n,  s} 
dir  G  {ne,e,  se} 


=£>  row  =  r  +  spaces 
=>  row  =  r 
=>  row  =  r  —  spaces 
=>  col  =  c  +  spaces 
=>  col  =  c 
=>  col  =  c  —  spaces 


time  =  t  —  spaces 
t  div  cycle  =  time  div  cycle 
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>  move  dir  spaces 


row  =  r 
col  =  c 
time  =  t 


A 

A 


0) 


J  t  div  cycle  =  ( time  div  cycle )  +  1 
}  t  mod  cycle  =  0 


|  evader-move  {time 


t} 


(2) 


J  time  =  t  —  duration  A 
}  t  div  cycle  =  time  div  cycle 


|  wait  duration  {time 


t} 


(3) 


B.  Definitions 


We  now  present  some  terms  that  we  will  use  later  in  the  paper  when  discussing  the  properties 
of  the  game. 

cell  An  ordered  pair  (r,  c)  is  a  unique  location  on  the  playing  board  located 

in  the  row  and  the  c^1  column.  A  cell  may  be  unoccupied,  occupied  by  the  pursuer, 
occupied  by  the  evader,  or  occupied  by  both  (if  a  cell  is  occupied  by  both,  then  the  pursuer 
has  won  the  game).  For  example,  in  Figure  1(b),  the  pursuer  occupies  cell  (4,1). 
move  A  player’s  legal  transition  from  one  cell  to  another  or  the  same  cell, 

turn  A  sequence  of  moves;  the  length  of  the  sequence  is  determined  by  the 

pursuer’s  speed  advantage  over  the  evader.  In  each  turn,  the  pursuer  has  speed  moves, 
and  the  evader  has  1  move,  for  a  total  of  cycle  =  speed  +1  moves. 
cleared(r,  c)  is  TRUE  if  and  only  if  no  undetected  evader  can  occupy  cell  (r,  c).  (pick 

one) 

cleared(r,  c,  t )  is  TRUE  if  and  only  if  any  evaders  occupying  cell  (r,  c)  at  time  t  must 

have  been  detected  at  time  r  <  t.  (pick  one) 

e-adjacent(Ci,  C-fi)  Cell  C\  is  e-adjacent  to  cell  C2  if  and  only  if  there  is  a  legal  move  for 
the  evader  to  move  from  C-\  to  C2  in  a  single  move.  The  evader  need  not  be  in  C\  for 
Ci  to  be  e-adjacent  to  C2,  but  it  must  be  possible  for  the  evader  to  occupy  Ci.  For 
example,  in  Figure  2,  (4,0)  is  e-adjancent  to  (3,0),  but  there  are  no  cells  e-adjacent 
to  (0,0). 


Clear-Board 


preconditions 

1  col  =  0 

2  row  =  0 

3  time  =  0 
postconditions 

1  Vp  <  n,  k  <  in  :  (g,  k)  £  Clear 


Fig.  4.  Specification  for  a  winning  pursuer  algorithm. 


p-adjacent(C'i,  C2)Cell  C\  is  p-adjacent  to  cell  C2  if  and  only  if  there  is  a  legal  direction 
dir  such  that  the  pursuer  can  move  from  C\  to  C2  by  invoking  move  dir  1.  The  pursuer 
need  not  be  in  C\  for  C\  to  be  p-adjacent  to  C2. 

These  definitions  permit  us  to  enrich  the  axiomatic  semantics  of  our  language,  to  describe  the 
effects  of  the  pursuer’s  and  evader’s  movements  on  the  set  of  cleared  cells.  Axiom  (1)  becomes: 


dir  £  {sw,  s,  Se} 

=> 

row  =  r  +  spaces 

A 

dir  £  {w,e} 

=> 

row  =  r 

A 

dir  £  {nw,  n,  ne} 

row  =  r  —  spaces 

A 

dir  £  {nw,w,  sw} 

=> 

col  =  c  +  spaces 

A 

dir  £  (n,  s} 

=> 

col  =  c 

A 

dir  £  {ne,e,  se} 

=> 

col  =  c  —  spaces 

A 

time  =  t  —  spaces 

A 

t  div  cycle  =  time  div  cycle 

A 

dir  =  N 

=> 

T  =  {(r  —  s,  c)  s  €  [0  . .  spaces ]} 

A 

dir  =  NE 

T  =  {(r  —  s,  c  —  s)  |s  £  [0  . .  spaces ]} 

A 

dir  =  E 

T  =  {(r,  c  —  s)  s  €  [0  . .  spaces ]} 

A 

dir  =  SE 

=> 

T  =  {(r  +  s,  c  —  s)  |s  £  [0  . .  spaces ]} 

A 

dir  =  S 

=> 

T  =  {(r  +  s,  c)|s  £  [0  . .  spaces ]} 

A 

dir  =  sw 

=> 

T  =  {(r  +  s,  c+  s)|s  £  [0  . .  spaces ]} 

A 

dir  =  w 

=> 

T  =  {(r,  c  +  s)  s  €  [0  . .  spaces ]} 

A 

dir  =  nw 

Clear  CT  =  C 

T  =  {(r  —  s,  c  +  s)  |s  £  [0  . .  spaces ]} 

A 

And  Axiom  (2)  becomes: 


>  move  dir  spaces 


row  =  r  A 
col  =  c  A 
time  =  t  A 
Clear  =  C 


(4) 


t  div  cycle  =  ( time  div  cycle )  +  1  A  'l 

t  mod  cycle  =  0  A  I  J  time  =  t  A  1 

T  =  {(r,  c) 1 3 (p,  k)  £  Clear  :  e-adjacent  ((p,  k),  (r,c))}  A  |  eva  er  move  |  Clear  =  C  J 

(Clear  \IF)  U  {(row,  col)}  =  C  J 

(5) 


IV.  Properties  of  the  Game 

We  begin  by  considering  the  specification  of  a  winning  algorithm  for  the  pursuer,  which  is 
independent  of  the  variation  of  the  game.  All  variables  in  this  section  may  be  assumed  to  be 
natural  numbers. 

Theorem  1:  If  the  pursuer  follows  an  algorithm  satisfying  the  specification  in  Figure  4,  then 
the  pursuer  and  evader  eventually  will  be  colocated. 

Proof:  Since  an  evader  must  occupy  some  cell,  then  by  the  definition  of  cleared,  the 
postcondition  of  Clear-Board’s  specification  can  be  true  only  if  the  pursuer  was  collocated 
with  each  evader  at  least  once  before  the  algorithm  terminated.  ■ 

Now  consider  the  implementation  of  Clear-Board  in  Figure  5.  In  each  iteration  of  the  while 
loop,  the  algorithm  clears  all  cells  in  column  x.  The  effect  of  the  call  to  Clear-Column  in 


Clear-Board 

1  X  <-  0 

2  while  x  <  m  —  1 

3  do 

4  Clear-Column 

5  x  <—  x  +  1 

6  end  do 

7  Clear-Last-Column 


Fig.  5.  Winning  pursuer  algorithm. 
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■  ■  -x-l  X  X+l-  .  . 


(a)  Before  CLEAR-COLUMN 


(b)  After  CLEAR-COLUMN 


Fig.  6.  Effect  of  calling  CLEAR-COLUMN  during  the  a4'1  iteration  of  the  loop  in  Figure  5. 


line  4  is  depicted  in  Figure  6.  After  columns  0  . .  m  —  2  are  cleared  in  the  loop,  a  call  to  Clear- 
Last-Column  clears  the  cells  in  column  m  —  1. 

Lemma  2:  The  loop  in  Figure  5  terminates. 

Proof:  Consider  the  variant  function  f (x)  =  m  x.  Clear-Column  does  not  alter  x,  and 
line  5  increments  x;  therefore,  f  is  strictly  monotonically  decreasing.  When  the  loop  test  fails, 
x  >  m  —  1,  and  f(x)  <  1.  Since  f(0)  >  1  and  f  decreases  strictly  monotonically,  eventually  x 
must  assume  some  value  such  that  f(x)  <  1,  and  the  loop  test  fails.  ■ 

Theorem  3:  The  algorithm  in  Figure  5  satisfies  the  specification  of  Clear-Board  in  Figure  4. 

Proof:  The  derivation  in  Appendix  B  shows  the  partial  correctness  of  the  algorithm  in 
Figure  5.  By  Lemma  2,  the  algorithm  must  terminate.  Therefore  we  have  total  correctness.  ■ 

Now  consider  the  implementation  of  Clear-Column  in  Figure  9.  In  each  iteration  of  the 
while  loop,  the  algorithm  clears  the  cell  in  row  y  in  the  current  column.  The  effect  of  the  call  to 


Clear-Column 

preconditions 

1  0  <  c  <  m 

2  time  mod  cycle  =  0 

3  col  =  c  —  1 

4  row  =  0 

5  \/g  <  n,  k  <  col  :  ( g ,  n)  €  Clear 
postconditions 

1  time  mod  cycle  =  0 

2  col  =  c 

3  row  =  0 

4  \/g  <  n,  k  <  col  :  (g,  n)  €  Clear 


Fig.  7.  Specification  for  an  algorithm  that  guarantees  the  evader  is  not  in  a  column  col  <  m  —  1. 


Clear-Last-Column 


preconditions 

1  time  mod  cycle  =  0 

2  col  =  m  —  1 

3  row  =  0 

4  \/g  <  n,  k  <  to  —  1  :  (g,  n)  £  Clear 

postconditions 

1  \/g  <  n,  k  <  to  :  (g,  k)  £  Clear 


Fig.  8.  Specification  for  an  algorithm  that  guarantees  the  evader  is  not  in  the  rightmost  column. 


Clear-Column 

1  y  <—  n  —  1 

2  while  y  >  0 

3  do 

4  CLEAR-CELL(y) 

5  y<-y-l 

6  end  do 

7  Clear-Last-Cell 


Fig.  9.  Algorithm  that  guarantees  the  evader  is  not  in  a  column  col  <  m  —  1. 


Clear-Cell  in  line  4  is  depicted  in  Figure  10.  After  cells  (1,  col) . .  (n  —  1,  col)  are  cleared  in 
the  loop,  a  call  to  Clear-Last-Cell  clears  cell  (0,  col). 

Lemma  4:  The  loop  in  Figure  9  terminates. 

Proof:  Consider  the  variant  function  f(y)  =  y.  Clear-Cell  does  not  alter  y,  and  line  5 
decrements  y\  therefore,  f  is  strictly  monotonically  decreasing.  When  the  loop  test  fails,  y  <  0, 
and  i(y)  <  0.  Since  f(n  —  1)  >  0  and  f  decreases  strictly  monotonically,  eventually  y  must  assume 
some  value  such  that  f  (y)  <  0,  and  the  loop  test  fails.  ■ 

Theorem  5:  The  algorithm  in  Figure  9  satisfies  the  specification  of  Clear-Column  in  Fig¬ 
ure  7. 

Proof:  The  derivation  in  Appendix  C  shows  the  partial  correctness  of  the  Clear-Column 
algorithm.  By  Lemma  4,  the  algorithm  must  terminate.  Therefore  we  have  total  correctness.  ■ 


• 

col 

col-1  col+1 


(a)  Before  CLEAR-CELL 


(b)  After  CLEAR-CELL 


Fig.  10.  Effect  of  calling  CLEAR-CELL  during  the  j/^1  iteration  of  the  loop  in  Figure  9. 


Clear-Cell(j/) 

preconditions 

1  c  <  m  —  1 

2  0  <  y  <  n 

3  time  mod  cycle  =  0 

4  col  =  c 

5  row  =  0 

6  \/g  <  n,  k  <  col  :  (g,  n)  €  Clear 

7  \/g  :  y  +  1  <  g  <  n  :  (g,  col)  £  Clear 
postconditions 

1  time  mod  cycle  =  0 

2  col  =  c 

3  row  =  0 

4  \/g  <  n,  k  <  col  :  (g,  n)  €  Clear 

5  \/g  :  y  <  g  <  n  :  (g,  col)  €  Clear 


Fig.  11.  Specification  for  an  algorithm  that  guarantees  the  evader  is  not  in  a  cell. 


Clear-Last-Cell 

preconditions 

1  0  <  c  <  m 

2  time  mod  cycle  =  0 

3  col  =  c  —  1 

4  row  =  0 

5  \/g  <  n,  k  <  col  :  (g,  k)  €  Clear 

6  \/g  :  1  <  g  <  n  :  (p,  col)  £  Clear 
postconditions 

1  time  mod  cycle  —  0 

2  col  =  c 

3  row  =  0 

4  \/g  <  n,  k  <  col  :  ( g ,  k)  €  Clear 


Fig.  12.  Specification  for  an  algorithm  that  guarantees  the  evader  is  not  in  the  bottommost  cell  of  a  column. 


So  far,  we  have  placed  no  restrictions  on  the  pursuer’s  speed.  We  now  present  two  algorithms 
which  do  require  specific  lower  bounds  on  the  value  of  speed.  The  first  is  an  algorithm  for 
Clear-Last-Column  in  Figure  13,  which  requires  speed  >n  —  1.  The  second  is  an  algorithm 
for  Clear-Last-Cell  in  Figure  14,  which  requires  speed  >  n. 

Theorem  6:  If  speed  >  n  —  1,  then  the  algorithm  in  Figure  13  satisfies  the  specification  of 
Clear-Last-Column  in  Figure  8. 

Proof:  The  proof  follows  directly  from  the  semantics  of  move.  The  derivation  in  Appendix  D 
shows  that  if  the  preconditions  are  met,  then  after  Clear-Last-Colunm  has  completed,  the 
postcondition  will  be  satisfied.  ■ 

Theorem  7:  If  speed  >  n,  then  the  algorithm  in  Figure  14  satisfies  the  specification  of  Clear- 
Last-Cell  in  Figure  12. 


Clear-Last-Column 
1  move  Nn-1 


Fig.  13.  Algorithm  that  guarantees  the  evader  is  not  in  the  rightmost  column  when  speed  >  n  —  1. 


Clear-Last-Cell 

1  move  E  1 

2  move  N  n  —  1 

3  evader-move 

4  move  s  n  -  1 

5  evader-move 

Fig.  14.  Algorithm  that  guarantees  the  evader  is  not  in  the  bottommost  cell  of  a  column  when  speed  >  n. 


Clear-Cell 

1  move  N  y 

2  move  e  1 

3  move  N  n  —  y  —  1 

4  evader-move 

5  move  s  n  —  y  —  1 

6  move  w  1 

7  move  s  y 

8  evader-move 

Fig.  15.  Algorithm  that  guarantees  the  evader  is  not  in  a  cell  when  the  evader  cannot  move  diagonally  and  speed  >  n. 

Proof:  The  derivation  in  Appendix  E  shows  that  if  the  preconditions  are  met,  then  after 
Clear-Last-Cell  has  completed,  the  postconditions  will  be  satisfied.  ■ 

We  now  consider  the  specific  variants  of  the  game. 

A.  Evader  and  pursuer  cannot  move  diagonally 

Lemma  8:  If  speed  >  n,  then  when  the  evader  cannot  move  diagonally  (it  can  only  use  headings 
£  {n,  E,  S,  w}),  the  algorithm  in  Figure  15  satisfies  the  specification  of  Clear-Cell  in  Figure  11. 

Proof:  The  derivation  in  Appendix  F  shows  that  if  the  preconditions  are  met,  then  after 
Clear-Cell  has  completed,  the  postconditions  will  be  satisfied.  ■ 

Theorem  9:  If  neither  the  pursuer  nor  the  evader  can  move  diagonally,  then  to  catch  the  evader 
the  pursuer’s  minimum  speed  is  at  most  min  (to,  n)  spaces/turn. 

Proof:  Assume  without  loss  of  generality  that  mirifm,,  n)  =  n.  By  Theorem  7  and  Lemma  8, 
we  have  correct  implementations  of  Clear-Last-Cell  and  Clear-Cell  that  can  be  used 
by  the  implementation  of  Clear-Column  when  speed  >  n.  By  Theorems  5  and  6,  we  have 
correct  implementations  of  Clear-Column  and  Clear-Last-Column  that  can  be  used  by  the 
implementation  of  Clear-Board.  By  Theorem  3,  we  have  a  correct  implementation  of  Clear- 
Board.  Finally,  by  Theorem  1,  that  algorithm  will  assure  that  the  pursuer  will  be  collocated  with 
each  evader  eventually.  ■ 

Conjecture  10:  If  neither  the  pursuer  nor  the  evader  can  move  diagonally,  then  to  catch  the 
evader  the  pursuer’s  speed  must  be  at  least  min (m,  n)  spaces/turn. 

Corollary  11:  Assume  neither  the  pursuer  nor  the  evader  can  move  diagonally.  By  Theorem  9, 
and  if  Conjecture  10  holds,  the  pursuer  can  catch  the  evader  if  and  only  if  the  pursuer  can  catch 
the  evader  when  moving  min (m,  n)  spaces/turn. 

B.  Evader  and  pursuer  can  move  diagonally 

Lemma  12:  If  speed  >  n  +  1,  then  when  both  the  pursuer  and  the  evader  can  move  diagonally 
(they  can  use  all  headings  £  {n,  NE,  e,  SE,  S,  SW,  w,  Nw}),  the  algorithm  in  Figure  17  satisfies 
the  specification  of  Clear-Cell  in  Figure  11. 

Proof:  The  derivation  in  Appendix  G  shows  that  if  the  preconditions  are  met,  then  after 
Clear-Cell  has  completed,  the  postconditions  will  be  satisfied.  ■ 
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(a)  Initial  conditions  (b)  After  pursuer  moves  in  (c)  Pursuer  has  moved  n  spaces, 

line  1,  cell  ( y ,  col )  has  been  after  line  3 

cleared 


(d)  Evader  moves  in  line  4, 
causing  cells  on  the  frontier  to 
be  uncleared  ( better  phrasing?) 
(clarify  “frontier”) 


(e)  Pursuer  moves  next  n 
spaces,  in  lines  5-7,  returning 
to  cell  (0,  col ) 


(f)  Evader  moves  in  line  8, 
causing  cells  on  the  frontier  to 
be  uncleared;  the  postcondi¬ 
tions  are  now  satisfied 


Fig.  16.  Execution  of  the  CLEAR-CELL  algorithm  in  Figure  15. 


Clear-Cell 

1  move  N  y 

2  move  se  1 

3  move  N  n  —  y 

4  evader-move 

5  move  s  n  —  y 

6  move  w  1 

7  move  S  y  —  1 

8  evader-move 


Fig.  17.  Algorithm  that  guarantees  the  evader  is  not  in  a  cell  when  both  the  pursuer  and  the  evader  can  move  diagonally 
and  speed  >  n  +  1. 
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(a)  Initial  conditions 


(b)  After  pursuer  moves  in 
lines  1,  cell  ( y ,  col)  has  been 
cleared;  the  moves  in  line  2 
will  protect  cell  ( y ,  col)  from 
the  evader’s  diagonal  movement 


(c)  Pursuer  has  moved  n  +  1 
spaces,  after  line  3 


col  col+2 
col-1  col  +  1  •  •  ■ 


(d)  Evader  moves  in  line  4, 
causing  cells  on  the  frontier  to 
be  uncleared  ( better  phrasing?) 
(clarify  “frontier”) 


(e)  Pursuer  moves  next  n 
spaces,  in  lines  5-7,  returning 
to  cell  (0,  col) 


(f)  Evader  moves  in  line  8, 
causing  cells  on  the  frontier  to 
be  uncleared;  the  postcondi¬ 
tions  are  now  satisfied 


Fig.  18.  Execution  of  the  CLEAR-CELL  algorithm  in  Figure  17. 


Theorem  13:  If  both  the  pursuer  and  the  evader  can  move  diagonally,  then  to  catch  the  evader 
the  pursuer’s  minimum  speed  is  at  most  min(m,  n)  +  1  spaces/turn. 

Proof:  Assume  without  loss  of  generality  that  min  (to,  n)  =  n.  By  Theorem  7  and  Lemma 
12,  we  have  correct  implementations  of  Clear-Last-Cell  and  Clear-Cell  that  can  be  used 
by  the  implementation  of  CLEAR-COLUMN  when  speed  >  n  +  1.  By  Theorems  5  and  6,  we 
have  correct  implementations  of  Clear-Column  and  Clear-Last-Column  that  can  be  used 
by  the  implementation  of  Clear-Board.  By  Theorem  3,  we  have  a  correct  implementation 
of  Clear-Board.  Finally,  by  Theorem  1,  that  algorithm  will  assure  that  the  pursuer  will  be 
collocated  with  each  evader  eventually.  ■ 

Conjecture  14:  If  neither  the  pursuer  nor  the  evader  can  move  diagonally,  then  to  catch  the 
evader  the  pursuer’s  speed  must  be  at  least  min (m,  n)  +  1  spaces/turn. 

Corollary  15:  Assume  neither  the  pursuer  nor  the  evader  can  move  diagonally.  By  Theorem  13, 
and  if  Conjecture  14  holds,  the  pursuer  can  catch  the  evader  if  and  only  if  the  pursuer  can  catch 


Clear-Cell 

1  move  N  y 

2  move  E  1 

3  move  s  1 

4  move  N  n  —  y 

5  evader-move 

6  move  s  n  —  y 

7  move  w  1 

8  move  S  y  —  1 

9  evader-move 


Fig.  19.  Algorithm  that  guarantees  the  evader  is  not  in  a  cell  when  the  evader  can  move  diagonally  but  the  pursuer 
cannot,  and  speed  >  n  +  2. 


the  evader  when  moving  min (m,  n)  +  1  spaces/turn. 

C.  Evader  cannot  move  diagonally;  pursuer  can 

Theorem  16:  If  the  pursuer  can  move  diagonally  but  the  evaders  cannot,  then  to  catch  the 
evaders  the  pursuer’s  minimum  speed  is  at  most  min(m,  n)  spaces/turn. 

Proof:  Assume  without  loss  of  generality  that  min  (to,  n)  =  n.  By  Theorem  7  and  Lemma 
8,  we  have  correct  implementations  of  Clear-Last-Cell  and  Clear-Cell  that  can  be  used 
by  the  implementation  of  Clear-Column  when  speed  >  n.  By  Theorems  5  and  6,  we  have 
correct  implementations  of  Clear-Column  and  Clear-Last-Column  that  can  be  used  by  the 
implementation  of  Clear-Board.  By  Theorem  3,  we  have  a  correct  implementation  of  Clear- 
Board.  Finally,  by  Theorem  1,  that  algorithm  will  assure  that  the  pursuer  will  be  collocated  with 
each  evader  eventually.  ■ 

Conjecture  17:  If  neither  the  pursuer  nor  the  evader  can  move  diagonally,  then  to  catch  the 
evader  the  pursuer’s  speed  must  be  at  least  min(m,  n)  spaces/turn. 

Corollary  18:  Assume  neither  the  pursuer  nor  the  evader  can  move  diagonally.  By  Theorem  16, 
and  if  Conjecture  17  holds,  the  pursuer  can  catch  the  evader  if  and  only  if  the  pursuer  can  catch 
the  evader  when  moving  min(m,  n)  spaces/turn. 

D.  Evader  can  move  diagonally;  pursuer  cannot 

Lemma  1 9:  If  speed  >  n  +  2,  then  when  both  the  pursuer  and  the  evader  can  move  diagonally 
(they  can  use  all  headings  €  {n,  NE,  E,  SE,  S,  SW,  W,  Nw}),  the  algorithm  in  Figure  19  satisfies 
the  specification  of  Clear-Cell  in  Figure  11. 

Proof:  The  derivation  in  Appendix  H  shows  that  if  the  preconditions  are  met,  then  after 
Clear-Cell  has  completed,  the  postconditions  will  be  satisfied.  ■ 

Theorem  20:  If  both  the  pursuer  can  move  orthoganlly  only  and  the  evaders  can  move  diago¬ 
nally,  then  to  catch  the  evaders  the  pursuer’s  minimum  speed  is  at  most  min  (to,  n)  +2  spaces/tum. 

Proof:  Assume  without  loss  of  generality  that  min(ro,  n)  =  n.  By  Theorem  7  and  Lemma 
19,  we  have  correct  implementations  of  Clear-Last-Cell  and  Clear-Cell  that  can  be  used 
by  the  implementation  of  CLEAR-COLUMN  when  speed  >  n  +  2.  By  Theorems  5  and  6,  we 
have  correct  implementations  of  Clear-Column  and  Clear-Last-Column  that  can  be  used 
by  the  implementation  of  Clear-Board.  By  Theorem  3,  we  have  a  correct  implementation 
of  Clear-Board.  Finally,  by  Theorem  1,  that  algorithm  will  assure  that  the  pursuer  will  be 
collocated  with  each  evader  eventually.  ■ 

We  have  shown  that  when  the  evader  can  move  diagonally  but  the  pursuer  can  move  only 
cardinally,  a  speed  advantage  of  n  +  2  is  sufficient  to  assure  the  pursuer’s  victory,  whereas  n  +  1 
is  sufficient  when  both  the  pursuer  and  evader  can  move  diagonally.  Contrast  this  with  the  two 
cases  in  which  the  evader  cannot  move  diagonally  -  in  those  cases,  the  pursuer  does  not  benefit 
from  being  able  to  move  diagonally;  in  each  case,  a  speed  advantage  of  n  is  sufficient  and,  we 
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(a)  Initial  conditions 


(b)  After  pursuer  moves  in 
lines  1,  cell  ( y ,  col)  has  been 
cleared;  the  moves  in  lines  2— 
3  will  protect  cell  ( y ,  col)  from 
the  evader’s  diagonal  movement 


(c)  Pursuer  has  moved  n  +  2 
spaces,  after  line  4 


col  col+2 
col-1  col  +  1  •  •  ■ 


(d)  Evader  moves  in  line  5, 
causing  cells  on  the  frontier  to 
be  uncleared  ( better  phrasing?) 
(clarify  “frontier”) 


(e)  Pursuer  moves  next  n 
spaces,  in  lines  6-8,  returning 
to  cell  (0,  col) 


(f)  Evader  moves  in  line  9, 
causing  cells  on  the  frontier  to 
be  uncleared;  the  postcondi¬ 
tions  are  now  satisfied 


Fig.  20.  Execution  of  the  CLEAR-CELL  algorithm  in  Figure  19. 


believe,  necessary.  The  obvious  question  to  ask  at  this  point  is  whether  the  pursuer  can  win  with 
a  speed  advantage  of  n  +  1  in  both  cases  in  which  the  pursuer  can  move  diagonally. 

The  answer  is  “yes”,  though  the  witness  algorithm  is  considerably  less  straight-forward  than 
those  we  have  presented  so  far.  First,  we  shall  require  some  new  subroutines,  which  we  shall  use 
to  construct  a  new  implementation  of  CLEAR-COLUMN,  involving  monotonically  increasing  the 
number  of  cleared  cells  in  the  column  being  cleared.  Unlike  the  previous  implementation,  this 
new  implementation  alternates  between  clearing  cells  at  the  top  and  at  the  bottom  of  the  column. 

The  next  subroutine  is  TRANSITION,  specified  in  Figure  23.  After  half  of  the  column  has  been 
cleared.  Transition  is  used  to  rearrange  the  cleared  cells  to  satisfy  the  conditions  needed  by 
GROW-TOP2  and  GROW-BOTTOM2,  which  are  specified  in  Figures  24  and  25,  respectively.  As 
with  Grow-TopI,  Grow-Top2  preserves  the  number  of  cleared  cells  by  clearing  cells  at  the 
top  of  the  column,  and  then  Grow-Bottom2  increases  th  enumber  of  cleared  cells  by  clearing 
cells  at  the  bottom  of  the  column.  With  these  subroutines  specified,  we  can  now  implement  the 


Grow-B  OTTOM 1  (y) 
preconditions 

1  c  <  m  —  1 

2  y<  LfJ 

3  time  mod  cycle  =  0 

4  col  =  c 

5  row  =  y 

6  \/g  <  n,  k  <  col  :  ( g ,  k)  €  Clear 

7  V g  :  n  —  y  <  g  <  n  :  (g,  col)  £  Clear 
postconditions 

1  time  mod  cycle  =  0 

2  col  =  c 

3  row  =  n  —  y  —  1 

4  \/g  <  n,  k  <  col  :  ( g ,  n)  €  Clear 

5  Vg  <  y  :  (g,  col)  €  Clear 


Fig.  21.  Specification  for  an  algorithm  that  places  cleared  cells  in  the  lower  half  of  a  column. 


GROW-TOPl  (y) 
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preconditions 

c  <  m  —  1 

y<  LfJ 

time  mod  cycle  =  0 
col  =  c 


row  =  n  —  y  —  1 

\/g  <  n,  k  <  col  :  (g,  k)  €  Clear 

Vp  :  g  <  y  ■  (g,  col)  £  Clear 

postconditions 

time  mod  cycle  =  0 


col  =  c 

y  <  §  —  1  =>  row  =  y  +  1 
y  =  —  1  =>  row  =  y 

\/g  <  n,  k  <  col  :  ( g ,  k)  €  Cfear 
\/g  :  n  —  y  —  1  <  g  <  n  :  (p,  col)  € 


Clear 


Fig.  22.  Specification  for  an  algorithm  that  places  cleared  cells  in  the  upper  half  of  a  column. 


specification  of  CLEAR-COLUMN  with  Clear-Column,  shown  in  Figure  codexlearColumnCD. 

Theorem  21:  The  algorithm  in  Figure  26  terminates  and  satisfies  the  specification  of  Clear- 
Column  in  Figure  7. 

Proof:  The  derivation  in  Appendix  I  shows  the  total  correctness  of  the  Clear-Column 
algorithm.  ■ 

We  now  offer  implementations  of  subroutines  used  by  Clear-Column.  Figure  27  shows  an 
implementation  of  Grow-BottomI,  and  Figure  28  shows  an  implementation  of  Grow-TopI; 
both  require  that  speed  >  n  + 1 .  Figures  32  and  33  show  representative  uses  of  Grow-BottomI 
and  Grow-TopI  when  n  =  8  for  the  first  and  last  iterations  of  the  while  loop  in  Lines  2-7  of 
Program  26. 

Lemma  22:  The  algorithm  in  Figure  27  terminates  and  satisfies  the  specification  of  Grow- 
B  OTTOM  1  in  Figure  21. 

Proof:  The  derivation  in  Appendix  J  shows  the  total  correctness  of  the  Grow-BottomI 
algorithm.  ■ 

Lemma  23:  The  algorithm  in  Figure  28  terminates  and  satisfies  the  specification  of  Grow- 


Transition 


preconditions 

1  0  <  c  <  m 

2  time  mod  cycle  =  0 

3  col  =  c  —  1 

4  row  =  |"|]  —  1 

5  \/g  <  n,  k  <  col  :  (g,  k)  £  Clear 

6  \/g  :  row  <  g  <  n  :  (g,  col)  £  Clear 
postconditions 

1  time  mod  cycle  =  0 

2  col  =  c 

3  row  =  [f  J  -  1 

4  \/g  <  n,  k  <  col  —1  :  (g,  k)  £  Clear 

5  \/g  <  row  :  (g,  col  —1)  £  Clear 


Fig.  23.  Specification  for  an  algorithm  that  repositions  the  pursuer  from  the  postcondition  of  Grow-TopI  to  the 
precondition  of  GROW-TOP2. 


Grow-Top2(?/) 

preconditions 

1  0  <  c  <  m 

2  LiJ  <y<n-l 

3  time  mod  cycle  =  0 

4  col  =  c 

5  row  =  2  [|J  —  y  —  1 

6  \/g  <  n,  k  <  col  —1  :  (g,  k)  £  Clear 
1  V g  <  y  :  (g,  col  —1)  £  Clear 

postconditions 

1  time  mod  cycle  =  0 

2  col  =  c 

3  row  =  y  +  1 

4  \/g  <  n,  k  <  col  —1  :  (g,  k)  £  Clear 

5  \/g  :  2  [|J  —  y  <  g  <  n  :  (g,  col  —1)  £  Clear 

Fig.  24.  Specification  for  an  algorithm  that  places  cleared  cells  in  the  upper  half  of  a  column. 


TopI  in  Figure  22. 

Proof:  The  derivation  in  Appendix  K  shows  the  total  correctness  of  the  Grow-TopI 
algorithm.  ■ 

Figure  29  shows  an  implementation  of  Transition  when  speed  >  n+ 1,  and  Figure  34  shows 
a  representative  use  of  TRANSITION  when  n  =  8  in  Line  8  of  Program  26. 

Lemma  24:  The  algorithm  in  Figure  29  terminates  and  satisfies  the  specification  of  TRANSI¬ 
TION  in  Figure  23. 

Proof:  The  derivation  in  Appendix  K  shows  the  total  correctness  of  the  Grow-TopI 
algorithm.  ■ 

Finally,  Program  30  shows  an  implementation  of  Grow-Top2,  and  Program  31  shows  an 
implementation  of  GROW-BOTTOM2;  both  require  that  speed  >  n  +  1.  Figures  35  and  36  show 
representative  uses  of  Grow-Top2  and  GROW-BOTTOM2  when  n  —  8  for  the  first  and  last 
iterations  of  the  while  loop  in  Lines  9-14  of  Program  26. 

Lemma  25:  The  algorithm  in  Figure  30  terminates  and  satisfies  the  specification  of  Grow- 
Top2  in  Figure  24. 

Proof:  The  derivation  in  Appendix  M  shows  the  total  correctness  of  the  GROW-TOP2 
algorithm.  ■ 


GROW-B  OTTOM2  (y) 
preconditions 

1  0  <  c  <  m 

2  Li  J  <  V  <  n  -  1 

3  time  mod  cycle  =  0 

4  col  =  c 

5  row  =  y  +  1 

6  \/g  <  n,  k  <  col  —1  :  (g,  k)  €  Clear 

7  Vp  :  2  LiJ  —  y  <  g  <  n  :  (g,  col  —1)  €  Clear 
postconditions 

1  time  mod  cycle  =  0 

2  col  =  c 

3  y  <  n  —  2=$-  row  =  2  [f  J  —  y  —  2 

4  y  =  n  —  2  =>■  row  =  0 

5  \/g  <  n,  k  <  col  —1  :  (p,  k)  €  CZear 

6  Vg  <  y  :  (p,  col  —1)  €  CZear 

7  y  =  n  —  2  =>\/g  <  n,  k  <  col  :  (g,  k)  £  Clear 


Fig.  25.  Specification  for  an  algorithm  that  places  cleared  cells  in  the  lower  half  of  a  column. 


Clear-Column 

1  y«-  0 

2  while  y  <  [|J 

3  do 

4  Grow-Bottom1(j/) 

5  Grow-TopI  (y) 

6  y<-y  + 1 

7  end  do 

8  Transition 

9  while  y  <  n  —  1 

10  do 

11  Grow-Top2(j/) 

12  Grow-Bottom2(v) 

13  J/<-y  +  l 

14  end  do 


Fig.  26.  Algorithm  that  guarantees  the  evader  is  not  in  a  cell  when  the  evader  can  move  diagonally,  implementing  the 
specification  of  CLEAR-COLUMN  in  Figure  7. 


Grow-B  OTTOM 1  iy) 

1  move  s  y 

2  move  E  1 

3  move  N  y  +  1 

4  move  w  1 

5  move  Nn-2t/-2 

6  evader-move 


Fig.  27.  Algorithm  satisfying  GROW-BOTTOMl  specification  of  Figure  21  when  speed  >  n  +  1. 


GROW-TOPl(y) 

1  move  N  y 

2  move  E  1 

3  move  S  y  +  1 

4  move  w  1 

5  if  n  >  2y  +  3 

6  then 

7  move  S  n  —  2y  —  3 

8  end  if 

9  evader-move 


Fig.  28.  Algorithm  satisfying  GROW-TOPl  specification  of  Figure  22  when  speed  >  n  +  1. 


Transition 

1  move  s  [|]  —  1 

2  move  E  1 

3  move  N  [|J 

4  move  s  1 

5  evader-move 

Fig.  29.  Algorithm  satisfying  TRANSITION  specification  of  Figure  23  when  speed  >  n  +  1. 


GROW-TOP2(y) 

1  move  N  2  (y  -  [|J )  +  1 

2  move  w  1 

3  move  N  n  —  y  —  1 

4  move  E  1 

5  move  s  n  —  y  —  2 

6  evader-move 


Fig.  30.  Algorithm  satisfying  GROW-TOP2  specification  of  Figure  24  when  speed  >  n  +  1. 


GROW-B  OTTOM2  (y) 

1  move  S  2  (y  —  [|J  +  l) 

2  move  w  1 

3  move  S  2  [|J  —  y  —  1 

4  move  E  1 

5  if  y  <  2(fiJ  -  1) 

6  then 

7  move  N  2  I  %  -  y  —  2 

8  end  if 

9  evader-move 


Fig.  31.  Algorithm  satisfying  GROW-BOTTOM2  specification  of  Figure  25  when  speed  >  n  +  1. 
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Fig.  32.  Partial  execution  of  CLEAR-COLUMN  algorithm  in  Figure  26  when  n  =  8,  y  =  0. 


(a)  Before 

(b)  After 

(c)  After 

(d)  After 

(e)  After 

any  move¬ 

pursuer’s 

evader’s 

pursuer’s 

evader’s 

ment 
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turn  in 

turn  in 

turn  in 

GROW-BOTTOM  1  (3) 

Grow-BottomI  (3) 

Grow-TopI  (3) 

Grow-TopI  (3) 

Fig.  33.  Partial  execution  of  CLEAR-COLUMN  algorithm  in  Figure  26  when  n  =  8,  y  =  3. 


Lemma  26:  The  algorithm  in  Figure  31  terminates  and  satisfies  the  specification  of  Grow- 
BOTTOM2  in  Figure  25. 

Proof:  The  derivation  in  Appendix  N  shows  the  total  correctness  of  the  GROW-BOTTOM2 
algorithm.  ■ 

We  now  can  show  that  speed  =  n  +  1  is  a  sufficient  condition  for  the  pursuer  to  detect  all 
evaders  when  the  evaders  can  move  diagonally. 

Theorem  27:  If  both  the  pursuer  can  move  orthoganlly  only  and  the  evaders  can  move  diago¬ 
nally,  then  to  catch  the  evaders  the  pursuer’s  minimum  speed  is  at  most  min  (to,  n)  + 1  spaces/turn. 

Proof:  Assume  without  loss  of  generality  that  min  (to,  n)  =  n.  By  Lemmas  22-26,  we 
have  correct  implementations  of  Grow-BottomI,  Grow-TopI,  Transition,  Grow-Top2, 
and  GROW-BOTTOM2  that  can  be  used  by  the  Clear-Column  implementation  of  Figure  26 
when  speed  >  n  +  1.  By  Theorems  21  and  6,  we  have  correct  implementations  of  Clear- 
Column  and  Clear-Last-Column  that  can  be  used  by  the  implementation  of  Clear-Board. 
By  Theorem  3,  we  have  a  correct  implementation  of  Clear-Board.  Finally,  by  Theorem  1,  that 
algorithm  will  assure  that  the  pursuer  will  be  collocated  with  each  evader  eventually.  ■ 

V.  Conclusion 

We  have  established  that  if  the  pursuer  can  move  at  speeds  s  >  n  +  1,  where  n  is  the  shorter 
dimension  of  the  grid,  it  has  a  search  strategy  that  is  guaranteed  to  locate  the  evader.  Moreover, 
if  the  evader  cannot  move  diagonally,  then  the  pursuer  also  has  a  search  strategy  at  speed  s  =  n. 
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Fig.  34.  Partial  execution  of  CLEAR-COLUMN  algorithm  in  Figure  26  at  execution  of  TRANSITION. 


(a)  Before 
any  move¬ 
ment 


(b)  After 
pursuer’s 
turn  in 
Grow-Top2(4) 


(c)  After 
evader’s 
turn  in 
GROW-TOP2(4) 


(d)  After 
pursuer’s 
turn  in 
Grow-Bottom2(4) 


(e)  After 
evader’s 
turn  in 
Grow-Bottom2(4) 


Fig.  35.  Partial  execution  of  CLEAR-COLUMN  algorithm  in  Figure  26  when  n  =  8,  y  =  4. 
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Fig.  36.  Partial  execution  of  CLEAR-COLUMN  algorithm  in  Figure  26  when  n  =  8,y  =  6. 


Appendix 

A.  Axiomatic  Semantics 

In  this  section  we  introduce  the  axioms  and  rules  of  inference  used  in  the  derivations  in  the 
other  sections  of  the  appendix.  The  notation  used  in  this  section  is: 

•  Q  is  the  set  of  program  states 

•  er  £  Q  is  an  arbitrary  program  state 

•  p,p' ,q,q' ,r  are  propositional  formulae 

•  x  is  an  arbitary  variable  name 

•  expr  is  an  arbitrary  expression  that  is  type-compatible  with  x 

•  b  is  a  boolean  expression 

•  S,Si,S2  are  program  fragments:  a  program  fragment  is  either  an  atomic  command  (e.g.  an 
assignment  or  a  move  command)  or  a  composition  of  program  fragments 

•  PROC  is  an  arbitrary  procedure  name 

•  declare  PROC  S  indicates  the  declaration  of  PROC  with  produre  body  S 

•  call  PROC  indicates  the  use  of  PROC 

•  params  is  a  list  of  non-local  variables  for  PROC 

•  args  is  a  list  of  expressions  that  are  type-compatible  with  the  variables  in  params 

•  Pexpr  is  the  formula  p  with  every  occurance  of  x  replaced  by  expr 

•  {p}  is  the  set  of  program  states  a  such  that  a  \=  p 

•  {p}  S  {q}  is  a  Hoare  triple  indicating  that  if  the  program  state  satisfies  p  before  S  executes, 
then  q  is  satisfied  after  S  executes;  we  assume  that  any  state  variables  that  are  not  part  of 
the  Hoare  triple’s  specification  are  left  unchanged  by  S 

•  {p}S{?}  |  is  a  Hoare  triple  that  also  indicates  that  S  will  terminate  without  generating  a 
run-time  error 

•  f  :  Q  — >  N  is  an  arbitrary  function  mapping  from  program  states  to  natural  numbers 

1 )  Axioms:  We  begin  with  five  axioms,  the  Skip  and  Assignment  Axioms  and  the  three  axioms 
unique  to  our  language. 

a)  Skip  Axiom:  We  don’t  explictly  use  the  Skip  Axiom  in  any  of  the  algorithms,  but  we 
introduce  it  nonetheless  to  emphasize  that  a  command  that  has  no  effect  does  not  change  the 
program  state.  Moreover,  we  shall  use  it  to  simply  our  derivations  in  later  appendices. 

{p}  no-op  {p}  (6) 

b)  Assignment  Axiom:  The  Assignment  Axiom  is  derived  from  that  used  by  Hoare  [2], 

{Pxexpr}x<~  expr{p}  (7) 

Application  of  the  Assignment  Axiom  is  essentially  the  textual  replacement  of  expr  for  x  in  the 
precondition.  For  example:  {2  <  3}  x  <—  2  {x  <  3}.  Obviously,  this  axiom  assumes  that  evaluation 
of  expr  has  no  side-effects. 


c)  Move  Lemma:  The  Move  Lemma  was  introduced  as  (4)  in  the  text.  We  consider  it  to 
be  a  lemma  since  it  is  Axiom  (1)  enhanced  by  definitions  in  Section  III-B.  The  terms  in  the 
precondition  and  postcondition  are  described  in  Figure  3. 


dir  G  {sw,  s,  se} 

=*- 

row  =  r  +  spaces 

A  ' 

dir  G  {w,e} 

=> 

row  =  r 

A 

dir  G  {nw,  n,  ne} 

=> 

row  =  r  —  spaces 

A 

dir  G  {nw,w,  sw} 

=> 

col  =  c  +  spaces 

A 

dir  G  {n,  s} 

col  =  c 

A 

dir  G  {ne,e,  se} 

col  =  c  —  spaces 

A 

time  =  t  —  spaces 

A 

t  div  cycle  =  time  div  cycle 

A 

dir  =  N 

=> 

T  =  {(r  —  s,  c)  s  G  [0 . .  spaces ]} 

A 

dir  =  NE 

=> 

T  =  {(r  —  s,  c  —  s)  |s  G  [0  . .  spaces ]} 

A 

dir  =  E 

=> 

T  =  {(r,  c  —  s)  s  G  [0  . .  spaces ]} 

A 

dir  =  SE 

T  =  {(r  +  s,  c  —  s)  |s  G  [0  . .  spaces ]} 

A 

dir  =  S 

=> 

T  =  {(r  +  s,  c)|s  G  [0 . .  spaces ]} 

A 

dir  =  SW 

=> 

T  =  {(r  +  s,c+s)sG  [0  . .  spaces ]} 

A 

dir  =  w 

=> 

T  =  {(r,  c  +  s)  s  G  [0  . .  spaces]} 

A 

dir  =  nw 

IF  =  {(r  —  s,  c  +  s)  |s  G  [0  . .  spaces ]} 

A 

Clear  U F  =  C 

> 

ie  legal  values  for  dir  are 

{nw,n,ne,w,e,sw,s,Se}  if  the  pursue! 

can 

>  move  dir  spaces 


row  =  r 
col  =  c 
time  =  t 
Clear  =  C 


(4) 

re  diagonally,  and 

{n,W,E,s}  if  the  pursuer  can  only  move  in  the  four  cardinal  directions.  The  pursuer  moves  a 
distance  of  spaces  G  3N  in  the  specified  direction,  and  so  the  pursuer’s  row  and  col  values  are 
changed  by  the  movement.  Each  space  moved  increments  time  by  one  unit,  but  the  pursuer  is  not 
permitted  to  move  so  far  that  the  move  cannot  be  completed  before  the  evader’s  turn  to  move. 
Finally,  because  the  pursuer  clears  each  cell  it  occupies,  the  set  of  cleared  cells  changes. 

d )  Evader-Move  Lemma:  As  with  the  Move  Lemma,  the  Evader-Move  Lemma  was  intro¬ 
duced  as  (5)  in  the  text  as  the  enhancement  of  Axiom  (2)  by  definitions  in  Section  III-B.  The 
terms  in  the  precondition  and  postcondition  are  described  in  Figure  3. 


!t  div  cycle  =  ( time  div  cycle)  +  1  A  'l 

t  mod  cycle  =  0  A  I  J  time  =t  A  1 

F  =  {(r,  c)|3(p,  k)  €  Clear  :  e-adjacent  ((p,  k),  (r,  c))}  A  |  eva  er  move  |  Clear  =  C  J 
{Clear  \F)  U  {(row,  col)}  =  C  J 

(5) 

Invoking  evader-move  has  two  effects.  The  first  is  to  advance  the  clock  to  the  beginning  of 
the  pursuer’s  next  turn.  The  other  effect  is  to  change  the  set  of  cleared  cells.  Any  cell  that  is 
e-adjacent  to  an  uncleared  cell  cannot  be  cleared  after  the  evader  has  moved;  the  one  exception 
is  the  cell  currently  occupied  by  the  pursuer. 

e)  Wait  Axiom:  The  Wait  Axiom  was  introduced  as  (3)  in  the  text.  Its  purpose  is  to  provide 
a  mechanism  to  increment  time  without  moving  the  pursuer  or  evader. 


J  time  =  t  —  duration  A 
{  t  div  cycle  =  time  div  cycle 


|  wait  duration  {time 


t} 


(3) 


2)  Inference  Rules:  We  now  cover  seven  rules  of  inference.  Six  of  these  rules  are  used  when 
the  derivation  uses  structured  programming  constructs;  the  other  rule  is  can  be  used  simplify 
derivations. 

a)  Consequence  Rule:  The  Consequence  Rule  is  the  combination  of  Hoare’s  two  Rules  of 
Consequence  [2], 

WSW  ,  p'  =>P  ,  q  =>  q'  I-  {p'}  S  {<?'}  (8) 

Put  simply,  the  Consequence  Rule  permits  us  to  begin  the  derivation  step  with  a  stronger  precon¬ 
dition  than  the  specified  precondition  and  end  the  derivation  step  asserting  a  weaker  postcondition 
than  the  specified  postcondition.  For  example,  if  the  specification  is  {true}  S  {x  =  3}  then  our 
derivation  step  could  instead  show  {x  =  42}  S  {x  <  42}. 


b)  Sequential  Composition  Rule:  The  Sequential  Composition  Rule  is  Hoare’s  Rule  of  Se¬ 
quential  Composition  [2],  It  permits  us  to  combine  two  program  fragments  as  straight-line  code. 

MSi{g}  ,  MS2M  I-  MSi;S2M  (9) 

Note  that  because  of  the  Consequence  Rule,  the  specified  postcondition  of  Si  and  the  precondition 
of  S2  need  not  be  identical. 

c)  Conditional  Rules:  When  Hoare  introduced  axiomatic  semantics  [2],  he  initially  omitted 
the  if-then-else  construct.  Within  a  couple  years,  he  had  corrected  this,  and  the  first  Conditional 
Rule  is  his  Rule  of  Alternation  [3], 

{p  A  b}  Si  {<7}  ,  {p  A  -'6}S2  {<?}  I"  {p}  if  b  then  Si  else  S2  end  if  {<7}  (10) 

Our  second  Conditional  Rule  is  a  special  case  of  the  first,  where  S2  can  be  considered  to  be 

no-op: 

{pA6}S{g}  ,  pf\^b=>q  b  {p}  if  b  then  S  end  if  {g}  (11) 

d)  Iteration  Rule:  The  Iteration  Rule  comes  from  Hoare’s  Rule  of  Iteration  [2], 

{pA&}S{p}  b  {p}  while  b  do  S  end  do  {p  A  ~^b}  (12) 

A  derivation  involving  a  loop  requires  us  to  establish  a  loop  invariant,  that  is,  a  proposition  that 
will  be  satisfied  at  the  beginning  and  end  of  every  loop  iteration.  If  the  loop  invariant  p  holds 
before  the  while  loop,  then  p  and  the  negation  of  the  loop  condition  will  hold  after  the  while 
loop.  Note  that  this  Iteration  Rule  can  only  be  used  to  establish  partial  correctness:  the  rule  says 
nothing  about  whether  the  loop  will  terminate,  only  that  if  the  loop  terminates  then  p  f\^b  are 
satisfied  after  it  terminates. 

e)  Invocation  Rules:  Our  first  Invocation  Rule  is  Hoare’s  first  Rule  of  Invocation  [3],  for 
procedures  that  do  not  use  parameters. 

declare  PROC  S  ,  {p}S{g}  b  {p}  cad  PROC  {g}  (13) 

We  combine  Hoare’s  second  Rule  of  Invocation  with  his  Rule  of  Substitution  for  our  second 
Invocation  Rule,  params  is  the  list  of  formal  parameters  for  the  procedure,  and  args  is  a  list  of 
expressions  that  correspond  to  the  formal  parameters. 

declare  PROC  (params)  S  ,  {p}S{g}  ,  ||  params 

b  \pP~  X  ca[[  Proc (args)  ( q^1 

While  our  language  is  pass-by-value,  we  make  the  simplifying  assumption  in  this  proof  rule  that 
no  terms  in  the  expressions  in  args  are  assigned  new  values  in  the  procedure  body.  Of  course 
doing  so  would  have  no  effect  on  the  values  in  args ,  but  it  would  complicate  the  substitution 
portion  of  our  second  Invocation  Rule. 

We  have  not  used  all  the  rules  from  Hoare’s  axiomatic  treatment  of  procedures  [3],  For  example. 
Invocation  Rules  (13)  and  (14)  are  insufficient  for  recursive  calls,  but  we  do  not  use  recursive 
calls  in  this  paper.  We  also  have  not  introduced  Hoare’s  Rule  of  Declaration,  since  we  do  not 
use  local  variable  names  inside  procedure  bodies  that  are  also  the  names  of  variables  in  a  greater 
scope. 

3)  Total  Correctness:  In  the  previous  two  sections,  we  covered  the  material  that  can  be  used 
to  demonstrate  program  correctness  if  the  program  terminates  error-free.  We  will  now  cover  the 
material  that  can  be  used  to  demonstrate  that  the  program  will  terminate. 

a)  Skip  Lemma:  We  begin  with  the  trivial:  by  definition,  no-op  will  always  terminate  without 
generating  a  run-time  error. 


=  \\args\ 


(14) 


{p}  no-op  {p}  | 


(15) 


b)  Assignment  Rule:  The  Assignment  axiom  is  not,  in  of  itself,  sufficient  to  establish  that 
an  assignment  command  will  terminate  error-free.  As  we  did  with  the  Skip  Axiom,  we  could 
define  assignments  as  always  terminating,  but  that  would  be  inappropriate.  Manna  did  not  alter 
his  Assignment  Axiom  check  name!  [4],  there  are  still  two  ways  in  which  the  assignment  would 
fail  to  terminate  correctly  reference!.  If  expr  contains  a  function  call,  then  the  function  might 
not  terminate;  as  our  language  does  not  include  functions,  this  is  not  an  issue  for  us.  The  other 
concern  is  that  the  evaluation  of  expr  might  generate  an  error:  it  might  involve  a  divide -by-zero 
error,  or  it  might  evaluate  to  a  value  outside  x's  range. 

“expr  is  error-free”  ,  {pxexpr}  x  expr  {p}  b  {p*xpr}  x  expr  {p}  l  (16) 


c)  Move  Rule:  Similar  to  the  concern  with  assignments  that  an  illegal  value  not  be  assigned, 
we  must  be  cautious  that  when  the  pursuer  moves,  it  does  not  move  off  the  board. 

“ dir  and  spaces  are  error-free”  ,  p  =>  ( 0  <  row  <  n)  A  (0  <  col  <  m)  , 
q  =>•  (0  <  row  <  n)  A  (0  <  col  <  in)  ,  {p}  move  dir  spaces  {g}  b  {p}  move  dir  spaces  {q} 

(17) 

d)  Evader-Move  Lemma:  As  with  no-op,  we  can  safely  define  evader-move  j: 

!t  div  cycle  =  ( time  div  cycle)  +  1  A  'l 

t  mod  cycle  =  0  A  I  f  time  =t  A  'l  . 

T  =  {(r,  c) 1 3 (p,  k)  e  Clear  :  e-adjacent  ((p,  k),  (r,c))}  A  |  eva  er  move  |  Clear  =  C  J 

(Clear  \!F)  U  {(row ,  col)}  =  C  J 

(18) 

e)  Wait  Rule:  The  wait  command  can  safely  be  assumed  to  terminate,  provided  the  precon¬ 
dition  is  satisfied  and  expression  within  the  command  is  cleanly  evaluated: 

“du ration  is  error- free”  ,  {p}  wait  duration  {g}  b  {p}  wait  duration  {q}  J,  (19) 

f)  Consequence,  Sequential  Composition,  and  Conditional  Rules:  These  rules  require  no 
special  treatment  (double  check!)',  if  the  program  fragments  terminate,  then  so  do  the  constructs 
(probably  ought  to  cite  that): 

M  S  {g}  I  ,  p'  =>  P  ,  q  =>  q'  b  {p'}  S  {g'}  I  (20) 

MSi{g}|  ,  {g}S2WI  b  {p}Si;S2  W  j  (21) 

{pA6}Si{g}|  ,  {p  A  —>6}  S2  {g}  j  b  {p}if  b  then  Si  else  S2  end  if  {g}  j  (22) 

{pAfe}S{g}i  ,  pA^6=>g  b  {p}  if  6  then  S  end  if  {g}  |  (23) 

g)  Iteration  Rule:  The  Iteration  Rule  (24)  in  Section  A. 2  uses  a  loop  invariant  to  establish 
that  a  loop  has  correct  behavior  if  it  terminates.  We  now  introduce  a  variant  function  to  establish 
that  the  loop  terminates.  When  Manna  introduced  this  concept,  he  required  the  variant  function 
ranges  over  a  well-founded  set  [4];  however  for  simplicity’s  sake,  we  shall  limit  that  to  the  natural 
numbers. 

3f  :  Q  — >  N  \/k  G  N+  ::  {p  A  b  A  (f(a)  =  k)}  S  {p  A  (f(tr)  <  k)}  |  , 

(f(<7 )  =  0)  =>  —b  b  {p}  while  b  do  S  end  do  {p  A  ~^b}  J, 

Notice  that  the  requirement  for  f  is  that  each  iteration  reduce  its  value.  Since  f  ranges  over  N,  it 
will  eventually  reach  0,  and  the  loop  must  terminate  when  f(tr)  =  0. 

h)  Invocation  Rules:  Total  correctness  of  the  first  Invocation  Rule  requires  no  special  treate- 
ment;  if  the  procedure  body  terminates,  then  the  procedure  call  terminates  (reference): 

declare  PROC  S  ,  {p}  S  {g}  I  b  {p}  call  PROC  {g}  j  (25) 

Finally,  total  correctness  of  the  second  Invocation  Rule  requires  not  only  that  the  procedure  body 
terminate  error-free,  but  also  that  the  expressions  in  args  evaluate  error-free  (reference). 

declare  PROC(params)  S  ,  {p}S{g}|  ,  j|params||  =  || args\\  , 

V  expr  €  args  :  “expr  is  error-free”  b  |pbib|ms  |  call  PROC  (args)  |g^b™s|  j 


B.  Derivation  of  Clear-Board  in  Figure  5 
We  make  use  of  the  following  loop  invariant: 


(x  <  to)  A  (time  mod  cycle  =  0)A(0  <  col  =  x  <  m)  A(0  <  row 

And  the  following  loop  variant  function: 

f  (cr)  =  in  —  x 


0  <  n)A(Vp  <  n,K  <  col  :  (p,  k)  G  Clear ) 

(27) 

(28) 


{  ( time  =  0)  A  (0  <  col  =  0  <  to)  A  (0  <  row  =  0  <  n)  }  >  precondition 
1  x  0 

{  (a:  =  0)  A  ( time  =  0)  A  (0  <  col  =  0  <  to)  A  (0  <  row  =  0  <  n)  } 


2 

3 

4 

5 

6 

7 


{  (a:  =  0)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  x  <  to)  A  (0  <  row  =  0  <  n)  } 
t>  0  <  TO  —  1  <  TO 
>  {(p,  k)\q  <  n,  k  <  0}  =  0 
\>  f  (cr)  =  0  =>  x  =  m  >  m  —  1 
while  x  <  to  —  1 
do 

(a:  <  to  —  1  <  to)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  x  <  m)  A  1  (27)  A  (x  <  m  —  1) 

(0  <  row  =  0  <  n)  A  (Vp  <  n,  n  <  col  :  (p,  k)  G  Clear)  J  f(u)  =  m  ~  x  =  k  >  1 

Clear-Column 

(x  <  to  —  1)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  x  +  1  <  to)  A 
(0  <  row  =  0  <  n)  A  (Vp  <  n,  n  <  col  :  (p,  k)  G  Clear) 
x  x  +  1 

( x  <  to)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  x  <  to)  A  1  (27) 

(0  <  row  =  0  <  n)  A  (Vp  <  n,  n  <  col  :  (p,  n)  G  Clear)  J  {(a)  =  m  —  x  —  1  <  k 

end  do 


J  (a:  =  to  —  1  <  to)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  m  —  1  <  to)  A 
(  (0  <  row  =  0  <  n)  A  (Vp  <  n,  k  <  m-1  :  (p,  k)  G  Clear) 

Clear-Last-Column 

{  (Vp  <  n,  k  <  m  :  (p,  k)  G  Clear)  }  >  postcondition 


>  (27)  A  ->(x  <  to  —  1) 


C.  Derivation  of  Clear-Column  in  Figure  9 
We  make  use  of  the  following  loop  invariant: 


(0  <  c  <  to)  A  (y  <  n)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row 
(Vp  <  n,  k  <  col  :  ( p ,  k)  €  Clear )  A  (Vp  :  y  +  1  <  g  <  n  :  (g,  col)  £  Clear ) 

And  the  following  loop  variant  function: 


0  <  n)  A 
(29) 


f(<r)  =  V  (30) 

Note  that  the  c  in  this  invariant  is  the  c  “magic”  variable1  in  Clear-Column’s  specification, 
which  is  distinct  from  the  c  “magic”  variables  in  Clear-Cell  and  Clear-Last-Cell.  The 
significance  of  its  appearance  in  the  loop  invariant  is  that  the  pursuer  must  begin  every  iteration 
in  the  same  column. 


>  precondition 


(0  <  c  <  m)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  0  <  n)  A 
(Vp  <  n,  k  <  col  :  ( p ,  k)  £  Clear ) 

1  y  <—  n  —  1 

(0  <  c  <  m)  A  (y  =  n  —  1)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  0  <  n)  A 
(Vp  <  n,  k  <  col  :  ( q ,  k )  £  Clear ) 

[>  0  <  n  —  1  < 

>  {(p,  col)\n  —1  +  1  <  p  <  n}  =  0 
t>  f  (cr )  =  0  =>  y  <  0 

2  while  y  >  0 


do 


(0  <  c  <  m)  A  (0  <  y  <  n)  A  (time  mod  cycZe  =  0)  A  (0  <  col  =  c  —  1  <  to)  A  (0  <  row  =  0  <  n)  A 

(Vp  <  n,  k  <  col  :  (g,  k)  £  Clear)  A  (Vp  :  j/  +  1  <  p  <  n  :  (p,  col)  £  Clear) 
t>  Cclear-Cell  =  Cclear-Column  —  1 
CLEAR-CELL(y) 

(0  <  c  <  m)  A  (0  <  y  <  n)  A  (time  mod  cyde  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  0  <  n)  A 

(Vp  <  n,  k  <  col  :  (p,  k)  €  Clear)  A  (Vp  :  p  <  p  <  n  :  (p,  col)  £  Clear) 


(0  <  c  <  m)  A  (p  —  1  <  n)  A  (time  mod  q/de  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  0  <  n)  A 

(Vp  <  n,  k  <  col  :  (g,  k)  £  Clear)  A  (Vp  :  j/  —  l  +  l<p<n:(p,  col)  £  Clear) 

y<-y- 1 

(0  <  c  <  m)  A  (p  <  n)  A  (time  mod  q/de  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  0  <  n)  A 

(Vp  <  n,  n  <  col  :  (g,  k)  £  Clear)  A  (Vp  :  j/  +  1  <  p  <  n  :  (g,  col)  £  Clear) 


6  end  do 

(0  <  c  <  m)  A  (y  =  0  <  n)  A  (time  mod  cycle  =  0)  A  (0  <  col  =  c  —  1  <  to)  A  (0  <  row  =  0  <  n)  A 
(Vp  <  n,  k  <  col  :  (g,  n)  £  Clear)  A  (Vp  :  j/  +  1  <  p  <  n  :  (g,  col)  €  Clear) 


(0  <  c  <  m)  A  (time  mod  q/de  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  0  <  n)  A 
(Vp  <  n,  k  <  col  :  (g,  k)  £  Clear)  A  (Vp  :  1  <  p  <  n  :  (p,  col)  £  Clear) 

1>  Cclear-Last-Cell  =  Cclear-Column 

7  Clear-Last-Cell 

(time  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A 
(Vp  <  n,  k  <  col  :  (g,  k)  £  Clear) 


>  postcondition 


> 


(29) A  (y 
f  (ct)  =  V  . 


> 


(29) 


f(CT)  =  y  -  l  <  k 


>  (29)  A  ->(j/  >  0) 


4s  there  a  better  name?  “parameter”?  “specification  variable”? 


A  <|| 


D.  Derivation  of  Clear-Last-Column  in  Figure  13 
We  assume  the  time  is  initially  to- 


J  ( speed  >  n  —  1)  A  ( time  mod  cycle  =  0)  A  ( time  =  to)  A 

(  (0  <  col  =  m  —  1  <  m)  A  (0  <  row  =  0  <  n)  A  (Vp  <  n,  k  <  m  —  1  :  (g,  n)  £  Clear) 


O  precondition 


J  ( cycle  >  n  —  1)  A  (to  mod  cycle  =  0)  A  ( time  =  t0 )  A  (0  <  col  =  m  —  1  <  m)  A  (0  <  row  =  0  <  n)  A  1 
\  ({(f?j  k)\q  <  n,  n  <  m  —  1}  C  Clear )  A  ((to  +  n  —  1)  div  cycle  =  to  div  cycle)  J 

1  move  N  n  —  1 

J  ( cycle  >  n  —  1)  A  (to  mod  cycle  =  0)  A  ( time  =  to  +  n  —  1)  A  (0  <  col  =  m  —  1  <  m)  A  (0  <  row  =  n  —  1  <  n)  A 
\  ({(£?>K)|g  <  n,  k  <  m}  C  Clear) 


{  (Vf)  <  n,  k  <  m  :  (g.  k)  G  Clear)  }  >  postcondition 


E.  Derivation  of  Clear-Last-Cell  in  Figure  14 
We  assume  the  time  is  initially  to. 


( speed  >  n)  A  (0  <  c  <  m)  A  ( time  mod  cycle  =  0)  A  ( time  =  to)  A  (0  <  col  =  c  —  1  <  m)  A 
(0  <  row  =  0  <  n)  A  (Vp  <  n,  n  <  col  :  ( g ,  At)  G  Clear)  A  (Vg  :  1  <  p  <  n  :  (g,  col)  G  Clear) 


O  precondition 


(cycle  >  n)  A  (0  <  c  <  m)  A  (to  mod  ct/cZe  =  0)  A  (time  =  to)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  0  <  n)  A 

({(p,  At)|p  <  n,  /t  <  c  —  1}  U  {(p,  c  —  1)|1  <  p  <  n}  C  Clear)  A  ((to  +  1)  div  ct/cZe  =  to  div  cycle) 

1  move  E  1 

(  (cycle  >  n)  A  (0  <  c  <  m)  A  (to  mod  ct/cZe  =  0)  A  (time  =  to  +  1)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A 

\  ({(p,  At)|p  <  n,  ac  <  c}  U  {(0,  c)}  C  Clear)  A  ((to  +  n)  div  cycle  =  (to  +  1)  div  cycle) 

2  move  N  n  —  1 

J  (cycle  >  n)  A  (0  <  c  <  m)  A  (io  mod  ct/cZe  =  0)  A  (time  =  to  +  n)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  n  —  1  <  n)  A 
\  ({(£?,  k)|p  <  n,  k  <  c}  C  Clear) 


(cycle  >  n)  A  (0  <  c  <  m)  A  ((^o  +  cycle)  mod  ct/cZe  =  0)  A  (time  =  to  +  n)  A  (0  <  coZ  =  c  <  m)  A  (0  <  row  =  n  —  1  < 
({(g,  k)\q  <  n,  k  <  c}  C  Clear)  A  (Vg  <  n  :  e-adjacent((p,  c  +  1),  (p,  c)))  A 
((to  +  cycle)  div  cycle  =  (to  +  n)  div  cycle  +1) 

3  evader-move 

J  (cycle  >  n)  A  (0  <  c  <  m)  A  ((to  +  cycle)  mod  cycle  =  0)  A  (time  =  to  +  cycle)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  n  —  1 

\  ({(t?j  k)|p  <  n,  k  <  c}  U  { (?r  —  1,  c)}  C  Clear)  A  ((to  +  cycle  +n  —  1)  div  cycle  =  (to  +  cycle)  div  cycle) 

4  move  Sn-1 

J  (cycle  >  n)  A  (0  <  c  <  m)  A  ((to  +  cycle)  mod  cycte  =  0)  A  (time  =  to  +  cycle  +n  —  1)  A 

\  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(g,  At)|p  <  n,  At  <  c}  C  Clear) 


(cycle  >  n)  A  (0  <  c  <  m)  A  ((to  +  2  cycle)  mod  cycle  =  0)  A  (time  =  to  +  cycle  +n  —  1)  A 

(0  <  col  =  c  <  in)  A  (0  <  row  =  0  <  n)  A  ({(p,  At)|p  <  n,  ac  <  c}  C  Clear)  A  (\/g  <  n  :  e-adjacent((p,  c  +  1),  (g,  c)))  A 
((to  +  2  cycle)  div  cycle  =  (to  +  cycle  +n  —  1)  div  cycle  +1) 

5  evader-move 

J  (cycle  >  n)  A  (0  <  c  <  m)  A  ((to  +  2  cycle)  mod  cycle  =  0)  A  (time  =  <o  +  2  cycle)  A 
1  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(g,  At)|p  <  n,  At  <  c}  U  {(0,  c)}  C  Clear) 


{  (time  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  (\/g  <  n,  k  <  col  :  (g,  At)  G  Clear)  }  O  postcondition 


F.  Derivation  of  Clear-Cell  in  Figure  15 
We  assume  the  time  is  initially  to. 


( speed  >  n)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ( time  mod  cycle  =  0)  A  ( time  =  to)  A  (0  <  col  =  c  <  m)  A 
(0  <  row  =  0  <  n)  A  (Vp  <  n,  n  <  col  :  ( q ,  k)  €  Clear)  A  (Vp  :  y  +  1  <  p  <  n  :  (p,  col)  €  Clear) 


>  precondition 


{cycle  >  n)  A  (c  <  to  —  1)  A  (0  <  y  <  n)  A  (to  mod  q/cte  =  0)  A  {time  =  to)  A 

(0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(p,  k)\q  <  n,  n  <  c}  U  {(p,  c)|y  +  1  <  p  <  n}  C  Clear)  A 

((to  +  2/)  div  q/cZe  =  to  div  cycle) 

1  move  N  y 

j  {cycle  >  n)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycle  =  0)  A  {time  =  to  +  y)  A 

(  (0  <  col  =  c  <  m)  A  (0  <  row  =  y  <  n)  A  ({(p,  /c)|p  <  n,  k  <  c}  C  Clear)  A  ((to  +  y  +  1)  div  cycle  =  (to  +  y)  div  cycle) 

2  move  E  1 

{cycle  >  n)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (t0  mod  cycle  =  0)  A  {time  =  t0  +  y  +  1)  A 

(0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  y  <  n)  A  ({(p,  «)|p  <  n,  n  <  c}  U  {{y,  c  +  1)}  C  Clear)  A 

((to  +  n)  div  cycle  =  to  +  y  +  1  div  cycle) 
move  N  n  —  y—  1 

J  {cycle  >  n)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycle  =  0)  A  {time  =  to  +  n)  A 

\  (0  <  col  =  c  +  1  <  m)  A  (0  <  row  =  n  —  1  <  n)  A  ({(p,  k)| q  <  n,  k  <  c}  U  {(p,  c  +  l)\y  <  q  <  n}  C  Clear) 


{cycle  >  n)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  ct/de  =  0)  A  {time  =  to  +  n)  A 

(0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  n  —  1  <  n)  A  {{{q,  k)\q  <  n,  k  <  c}  U  {(p,  c  +  l)\y  <  q  <  n}  C  Clear)  A 
(Vp  :  q  <  y  :  e-adjacent((p,  c  +  1),  (p,  c)))  A  (Vp  :  y  <  q  <  n  :  e-adjacent((p,  c  +  2),  {g,  c  +  1)))  A 
((to  +  cycle)  div  cycle  =  {to  +  n)  div  cycle  +1) 

evader-move 

{cycle  >  n)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  {time  =  to  +  cycle)  A 
(0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  n  —  1  <  n)  A  ({(p,  k)\q  <  n,  k  <  c}  U  {(p,  c)  \y  <  g  <  n}  C  Clear)  A 
((to  +  cycle  +n  —  y  —  1)  div  cycle  =  {to  +  cycle)  div  cycle) 
move  S  n  —  y  —  1 

{cycle  >  n)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  {time  =  to  +  cycle  +n  —  y  —  1)  A 
(0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  y  <  n)  A  ({(p,  «)|p  <  n,  k  <  c}  U  {(p,  n)\y  <  g  <  n,  c  <  n  <  c  +  1}  C  Clear)  A 
((to  +  cycle  +n  —  y)  div  cycle  =  (to  +  cycle  +n  —  y  —  1)  div  cycle) 

move  w  1 


{{cycle  >  n)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  {time  =  to  +  cycle  +n  —  y)  A 

(0  <  col  =  c  <  m)  A  (0  <  row  =  y  <  n)  A  ({(g,  k)| q  <  n,  k  <  c}  U  {(p,  n)\y  <  g  <  n,  c  <  k  <  c  +  1}  C  Clear)  A 
((to  +  cycle  +n)  div  cycle  =  (to  +  cycle  +n  —  y)  div  cycle) 

7  move  s  y 

J  {cycle  >  n)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  {time  =  to  +  cycle  +n)  A  1 
\  (0  <  col  =  c  <  m )  A  (0  <  row  =  0  <  n)  A  ({(p,  k)\q  <  n,  n  <  c}  U  {(p,  c  +  l)\y  <  g  <  n}  C  Clear)  J 


{{cycle  >  n)  A  (c  <  to  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  {time  =  to  +  cycle  +n)  A 
(0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(p,  k)\q  <  n,  n  <  c}  U  {(p,  c  +  l)\y  <  g  <  n}  C  Clear)  A 
(Vp  :  g  <  y  :  e-adjacent((p,  c  +  1),  {g,  c)))  A  (Vp  :  y  <  g  <  n  :  e-adjacent((p,  c  +  2),  (g,  c  +  1)))  A 
((to  +  2  cycle)  div  cycle  =  (to  +  q/cte  +n)  div  cycle  +1) 

8  evader-move 

J  {cycle  >  n)  A  (c  <  to  —  1)  A  (0  <  y  <  n)  A  ((to  +  2  cycle)  mod  q/cte  =  0)  A  {time  =  to  +  2  cycle)  A  ^ 
(  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(p,«)|p  <n,K  <  c}  U  {(p,c)|y  <  p  <  n}  C  Clear)  J 


J  (time  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A 
(  ( y/g  <  n,  k  <  col  :  {g,  n)  €  Clear)  A  (Vp  :  y  <  g  <  n  :  {g,  col)  €  Clear) 


[>  postcondition 


G.  Derivation  of  CLEAR-CELL  in  Figure  17 
We  assume  the  time  is  initially  to. 


( speed  >  n  +  1)  A  (c  <  to  —  1)  A  (0  <  y  <  n)  A  ( time  mod  cycle  =  0)  A  ( time  =  to)  A  (0  <  col  =  c  <  m)  A 
(0  <  row  =  0  <  n)  A  (Vp  <  n,  n  <  col  :  (g,  k)  £  Clear )  A  (Vp  :  y  +  1  <  g  <  n  :  (g,  col)  £  Clear) 


O  precondil 


( cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycle  =  0)  A  ( time  =  to)  A 
(0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(p,  n)\g  <  n,  n  <  c}  U  {(p,  c)\y  +  1  <  g  <  n}  C  Clear)  A 

((to  +  y)  div  cycle  =  to  div  cycle) 

1  move  N  y 

j  ( cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycle  =  0)  A  ( time  =  to  +  y)  A 

(  (0  <  col  =  c  <  m)  A  (0  <  row  =  y  <  n)  A  ({(<?,  /c)|g  <  n,  n  <  c}  C  Clear)  A  ((to  +  y  +  1)  div  ct/cZe  =  (to  +  j/)  div  cycle) 

2  move  se  1 

( cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycle  =  0)  A  ( time  =  to  +  y  +  1)  A 
(0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  y  —  1  <  n)  A  ({(g,  k)\ Q  <  n,  k  <  c}  U  {(y  —  1,  c  +  1)}  C  Clear)  A 

((to  +  n  +  1)  div  cycle  =  (to  +  y  +  1)  div  cycle) 

move  N  n  —  y 

(  ( cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycle  =  0)  A  ( time  =  to  +  n  +  1)  A 

\  (0  <  col  =  c  +  1  <  m)  A  (0  <  row  =  n  —  1  <  n)  A  ({(g,  k)\q  <  n,  k  <  c}  U  {(^,  c  +  l)\y  —  1  <  g  <  n}  C  Clear) 


( cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycle  =  0)  A  ( time  =  to  +  n  +  1)  A 

(0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  n  —  1  <  n)  A  ({(g,  n)\g  <  n,  k  <  c}  U  {(p,  c  +  l)\y  —  1  <  g  <  n}  C  Clear)  A 

(Vp  :  g  <  y  :  e-adjacent((p,  c  +  1),  (p,  c)))  A  (Vp  :  y  —  1  <  g  <  n  :  e-adjacent((p,  c  +  2),  (g,c  +  1)))  A 

(e-adjacent((c  +  1,  y  —  2),  (c,  y  —  1)))  A  ((to  +  cycle)  div  cycle  =  (to  +  n  +  1)  div  cycle  +1) 

evader-move 

( cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  ( time  =  to  +  cycle)  A 
(0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  n  —  1  <  n)  A  ({(£>,  k)\q  <  n,  k  <  c}  U  {(p,  c)  \y  <  g  <  n}  C  Clear)  A 
((to  +  cycle  +n  —  y)  div  cycle  =  (to  +  cycle)  div  cycle) 

move  S  n  —  y 

( cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  ( time  =  to  +  cycle  +n  —  y)  A 
({(£>,  n)\g  <  n,  k  <  c}  U  {(p,  n)\y  <  g  <  n,  c  <  n  <  c  +  1}  U  {( y  —  1,  c  +  1)}  C  Clear)  A 

(0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  y  —  1  <  n)  A  ((to  +  cycle  +n  —  y  +  1)  div  cycle  =  (to  +  cycle  +n  —  y)  div  cycle) 

move  w  1 


{(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  'l 
( time  =  to  +  cycle  +n  —  y  +  1)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  y  —  1  <  n)  A  I 
({(£>,  n)\g  <  n,  k  <  c}  U  {(g,  n)\y  —  1  <  g  <  n,  c  <  k  <  c+  1}  C  Clear)  A  | 

((to  +  cycle  +n)  div  cycle  =  (to  +  cycle  +n  —  y  +  1)  div  cycle)  J 

7  move  S  y  —  1 

J  (cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A 
(  (time  =  to  +  ct/cte  +n)  A  ({(g,  <  n,  n  <  c}  U  {(p,  c  +  l)\y  —  1  <  g  <  n}  C  Clear) 


{(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  (time  =  to  +  cycle  +n)  A 
(0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(p,  tt)\g  <  n,  k  <  c}  U  {(p,  c  +  l)\y  —  1  <  g  <  n}  C  Clear)  A 
(\/g  :  g  <  y  :  e-adjacent((p,  c  +  1),  (g,  c)))  A  (Vg  :  y  —  1  <  g  <  n  :  e-adjacent((p,  c  +  2),  (g,c+  1)))  A 
(e-adjacent((c  +  1  ,y  —  2),  (c, y  —  1)))  A  ((to  +  2  cycle)  div  cycle  =  (to  +  cycle  +n)  div  cycle  +1) 

8  evader-move 

J  (cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  2  cycle)  mod  cycle  =  0)  A  (time  =  to  +  2  cycle)  A  ) 
\  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(p,k)|p  <  n,  k  <  c}  U  {(g,c)\y  <  g  <  n}  C  Clear)  J 


J  (time  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A 
(  (\/g  <  n,  k  <  col  :  (g,  n)  £  Clear)  A  (\/g  :  y  <  g  <  n  :  (g,  col)  £  Clear) 


>  postcondition 


H.  Derivation  of  CLEAR-CELL  in  Figure  19 
We  assume  the  time  is  initially  to. 


J  ( speed  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (time  mod  cycle  =  0)  A  ( time  =  t0)  A  (0  <  col  =  c  <  m)  A 
(  (0  <  row  =  0  <  n)  A  (Vy  <  n,  k  <  col  :  (y,  k)  £  Clear )  A  (Vy :  y  +  1  <  Q  <  n  :  (g,  col)  £  Clear) 


O  precondil 


1 

2 

3 

4 


( cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycle  =  0)  A  (time  =  to)  A 
(0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(y,  n)\g  <  n,  k  <  c}  U  {(y,  c)\y  +  1  <  g  <  n}  C  Clear)  A 
((to  +  y)  div  cycle  =  to  div  cycle) 

move  N  y 

j  (cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycle  =  0)  A  (time  =  to  +  y)  A 

(  (0  <  col  =  c  <  m)  A  (0  <  row  =  y  <  n)  A  ({(y,  /c)|y  <  n,  k  <  c}  C  Clear)  A  ((to  +  y  +  1)  div  cycte  =  (to  +  y)  div  cycle) 

move  E  1 

(cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycte  =  0)  A  (time  =  to  +  y  +  1)  A 

(0  <  cot  =  c  +  1  <  m)  A  (0  <  row  =  y  <  n)  A  ({(y,  «)|y  <  n,  k  <  c}  U  {(y,  c  +  1)}  C  Clear)  A  ((to  +  y  +  2)  div  cycle  =  ( 

move  s  1 

(cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycle  =  0)  A  (time  =  to  +  y  +  2)  A 

(0  <  col  =  c  +  1  <  m)  A  (0  <  row  =  y  —  1  <  n)  A  ({(g,  «)|p  <  n,  k  <  c}  U  {(y  —  1,  c  +  1),  (y,  c  +  1)}  C  Clear)  A  ((to  +  n 

move  Nn-j 

(cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycfe  =  0)  A  (time  =  to  +  n  +  2)  A 
(0  <  col  =  c  +  1  <  m)  A  (0  <  row  =  n  —  1  <  n)  A  ({(£>,  /c)|f)  <  n,  k  <  c}  U  {(y,  c  +  l)\y  —  1  <  g  <  n}  C  Clear) 


{(cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  (to  mod  cycfe  =  0)  A  (time  =  to  +  n  +  2)  A  'l 

(0  <  coZ  =  c  +  1  <  to)  A  (0  <  row  =  n  —  1  <  n)  A  ({(g,  n)\g  <  n,  k  <  c}  U  {(y,  c  +  l)|y  —  1  <  g  <  n}  C  Clear)  A  I 

(Vy  :  q  <  y  :  e-adjacent((y,  c  +  1),  ( g,c )))  A  (\/g  :  y  —  1  <  g  <  n  :  e-adjacent((p,  c  +  2),  (g,c+  1)))  A  | 

(e-adjacent((c  +  1  ,y  —  2),  (c, y  —  1)))  A  ((to  +  cycle)  div  cycle  =  (to  +  n  +  2)  div  cycZe  +1)  J 

5  evader-move 

{(cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycfe  =  0)  A  (time  =  to  +  cycle)  A  1 

(0  <  col  =  c+  1  <  m)  A  (0  <  row  =  n  —  1  <  n)  A  ({(y,  k)|(?  <  n,  k  <  c}  U  {(£>,  c)  \y  <  g  <  n}  C  Clear)  A  > 

((to  +  cycle  +n  —  y)  div  cycle  =  (to  +  cycle)  div  cycle)  J 

6  move  s  n  —  y 

{(cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycle  =  0)  A  (time  =  to  +  cycle  +n  —  y)  A 
({(£>,  k)\q  <  n,  k  <  c}  U  {(y,  K)\y  <  g  <  n,  c  <  n  <  c  +  1}  U  {(y  —  1,  c  +  1)}  C  Clear)  A 

(0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  y  —  1  <  n)  A  ((to  +  cycfe  +n  —  y  +  1)  div  cycle  =  (to  +  cycle  +n  —  y)  div  cycle) 

7  move  w  1 


{(cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycfe  =  0)  A  \ 

(time  =  to  +  cycle  +n  —  y  +  1)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  y  —  1  <  n)  A  I 
({(p,  ft)|y  <  n,  k  <  c}  U  {(y,  n)\y  —  1  <  g  <  n,  c  <  k  <  c+  1}  C  Clear)  A  | 

((to  +  cycte  +?i)  div  cycte  =  (to  +  cycfe  +n  —  y  +  1)  div  cycle)  J 

8  move  S  y  —  1 

J  (cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycte  =  0)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A 

(  (time  =  to  +  cycle  +n)  A  ({(y,  k)| g  <  n,  n  <  c}  U  {(y,  c  +  1) |y  —  1  <  y  <  n}  C  Clear) 

=> 

{(cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  cycle)  mod  cycfe  =  0)  A  (time  =  <o  +  cycfe  +n)  A  'l 
(0  <  col  =  c  <  in)  A  (0  <  row  =  0<n)A({(y,  «)|y  <  n,  K<c}U{(y,  c+  l)|y  —  l<y<n}C  Clear)  A  I 

(Vy  :  y  <  y  :  e-adjacent((y,  c  +  1),  (y,  c)))  A  (Vy  :  y  —  1  <  y  <  n  :  e-adjacent((y,  c  +  2),  (g,c+  1)))  A  | 

(e-adjacent((c  +  1,  y  —  2),  (c,  y  —  1)))  A  ((to  +  2  cycle)  div  cycle  =  (to  +  cycfe  +n)  div  cycfe  +1)  J 

9  evader-move 

J  (cycle  >  n  +  2)  A  (c  <  m  —  1)  A  (0  <  y  <  n)  A  ((to  +  2  cycle)  mod  cycfe  =  0)  A  (time  =  to  +  2  cycle)  A  1 

(  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(y,  n)\g  <  n,  k  <  c}  U  {(y,  c)|y  <  y  <  n}  C  Clear)  J 


J  (time  mod  cycte  =  0)  A  (0  <  cot  =  c  <  m)  A  (0  <  row  =  0  <  n)  A 
(  (Vy  <  n,  k  <  col  :  (y,  n)  £  Clear)  A  (Vy  :  y  <  g  <  n  :  (g,  col)  £  Clear) 


>  postcondition 


I.  Derivation  of  CLEAR-COLUMN  in  Figure  26 

We  make  use  of  two  loop  invariants.  For  the  loop  in  lines  2-7: 

(0  <  c  <  to)  A  (y  <  [|J )  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  c  —  1  <  to)  A  (y  <  |~^]  =>  row  =  y) A 
(y  =  [f]  =>  rout  =  t/  —  1)  A  (Vy  <  n,  k  <  col  :  (y,  k)  £  Clear )  A  (Vy  :  n  —  y  <  y  <  n  :  (y,  col)  £  Clear ) 

(31) 

For  the  loop  in  lines  9-14: 

(0  <  c  <  to)  A  ( <  y  <  n)  A  (fzme  mod  cycZe  =  0)  A  (0  <  col  =  c  <  to)  A  (y  <  n  —  1  =>  row  =  2  —  y  —  1)A 

(y  =  n  —  1  =>  row  =  0)  A  (Vy  <  n,  k  <  col  —1  :  (y,  k)  £  Clear )  A  (Vy  <y  :  (y,  col  —1)  €  Clear)  A 
(y  =  n  —  1  =>  (n  —  1,  col  —1)  £  Clear) 

(32) 

Both  loops  use  the  following  loop  variant  function: 


f(cr)  =  n  —  y  (33) 

j  (0  <  c  <  to)  A  (time  mod  cycle  =  0)  A  (0  <  col  =  c  —  1  <  to)  A  (0  <  row  =  0  <  n)  A  1 
(  (Vy  <  n,  k  <  col  :  ( q ,  k)  £  Clear)  J  ^  ^reC 

1  y  <-  o 

J  (0  <  c  <  to)  A  (y  =  0)  A  (time  mod  cycZe  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  0  <  n)  A 
(  (Vy  <  n,  k  <  col  :  (y,  k)  £  Clear) 

>  o  <  Lf J 

>  {(y,  col) \n  —  0  <  y  <  n}  =  0 

>  f (o' )  =  0=>y  =  n>n  —  1  >  [|J 

2  while  y  <  [|J 


>  precondition 


f  (0  <  c  <  to)  A  (y  <  |_^J )  A  (time  mod  cycle  =  0)  A  (0  <  col  —  c  —  1  <  m)  A  (0  <  row  =  y  <  n)  A  1  (31 

(  (Vy  <  n,  k  <  col  :  (y,  k )  £  Clear)  A  (Vy  :  n  —  y  <  y  <  n  :  (y,  col)  £  Clear)  J  f(o 

t>  CGROW-BOTTOMl  =  CCLEAR-COLUMN  —  1 

Grow-Bottom  1  (y) 

J  (0  <  c  <  to)  A  (y  <  [§] )  A  (time  mod  cyde  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  n  —  y  —  1  <  n)  A  1 
(  (Vy  <  n,  k  <  col  :  (y,  k)  £  Clear)  A  (Vy  <  y  :  (y,  col)  £  Clear)  J 

cGrow-Top1  =  cClear-Column  —  1 

Grow-TopI  (y) 

J  (0  <  c  <  to)  A  (y  <  )  A  (time  mod  cycZe  =  0)  A  (0  <  coZ  =  c  —  1  <  ?n)  A  (y  <  |~|]  —  1  =>  row  =  y  +  1)A 

l  (y  =  |~§  ]  —  1  =>  row  =  y)  A  (Vy  <  n,  n  <  col  :  (y,  k)  £  Clear)  A  (Vy  :  n  —  y  —  1  <  y  <  n  :  (y,  col)  £  Clear) 


(31)  A  (y  <  [ 


f(cr)  —  n  —  y 


J  (0  <  c  <  to)  A  (y  <  [§J  —  1)  A  (time  mod  cycle  =  0)  A  (0  <  col  =  c  —  1  <  to)  A  (y  <  [§]  —  1  =>  row  =  y  +  1)A 
1  (y=  Tf]  -1  =►  row  =  y)  A  (Vy  <  n,  k  <  col  :  (y,  k)  £  Clear)  A  (Vy  :  n  —  (y  +  1)  <  y  <  n  :  (y,  col)  £  Clear) 


||>M3 


y  <-  y  + 1 


^  ^  1  ~ 

(0  <  c  <  to)  A  (y  <  )  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  c  —  1  <  to)  A  (y  <  |~|]  =>■  row  =  y)A 

(y  =  |~^]  =>  row  =  y  —  1)  A  (Vy  <  n,  n  <  col  :  (y,  At)  £  Clear)  A  (Vy  :  n  —  y  <  g  <  n  :  {g,  col )  €  Clear) 

end  do 

(0  <  c  <  to)  A  (y  =  [|J )  A  {time  mod  cycZe  =  0)  A  (0  <  col  =  c  —  1  <  to)  A  (y  <  [§]  =>■  row  =  y)A 

(y  =  |"^]  =>  row  =  y  —  1)  A  (Vy  <  n,  At  <  col  :  (g,  At)  £  Clear)  A 

.  (Vy  :  n  —  y  <  g  <  n  :  (y,  col)  £  Clear) 

>  is-odd(n)  =>  y  =  [f  J  =  [f 1  “  1  <  [f 1  row  =  2/  =  [§ 1  -  1 

>  is-even(n)  =>  y  =  [(H  =  [?]=>  row  =  y  —  1  =  |~|"|  -1 

>  n  —  y  =  n  —  [|J  =  f|]  >  |"|]  —  1  =  row 


> 


(31) 


f(er)  =  n 


>  (31)  A  -i(y  < 


9 

10 


(0  <  c  <  m)  A  (y  =  )  A  (Zzme  mod  cycle  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  [§]  — 

(Vy  <  n,K  <  col  :  (y,  At)  £  Clear)  A  (Vy  :  row  <  y  <  n  :  (y,  col)  £  Clear) 

O  CXRANSITION  =  CCLEAR-COLUMN 

Transition 

(0  <  c  <  to)  A  (y  =  [)|J )  A  {time  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  2  [^J  —  y 
(Vy  <  n,K  <  col  —1  :  (y,  At)  G  Clear)  A  (Vy  <  y  :  (y,  coZ  —1)  €  Clear) 

while  y  <  n  —  1 


1  <  n)  A 

—  1  <  n)  A 


do 
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(0  <  c  <  m)  A  ( [|J  <  y  <  n  —  1)  A  {time  mod  cycle  =  0)  A  (0  <  col  =  c  <  to)  A  (0  <  row  =  2  —  y  —  1  <  n)  A 

(Vy  <  n,  At  <  col  —1  :  (y,  At)  €  Clear)  A  (Vy  <  y  :  (y,  col  —1)  G  Clear) 

cgrow-Top2  =  cClear-Column 
GROW-Top2(y) 

(0  <  c  <  to)  A  ( [|J  <  y  <  n  —  1)  A  {time  mod  cycle  =  0)  A  (0  <  col  =  c  <  to)  A  (0  <  row  =  y  +  1  <  n)  A 
(Vy  <  n,  At  <  col  —1  :  (y,  At)  G  Clear)  A  (Vy  :  2  —  y  <  g  <  n  :  {g,  col  —1)  G  Clear) 

t>  cGrow-Bottom2  =  cClear-Column 
GROW-BOTTOM2(y) 

(0  <  c  <  to)  A  ( <  y  <  n  —  1)  A  (Zzme  mod  cycZe  =  0)  A  (0  <  coZ  =  c  <  to)  A  (y  <  n  —  2  =S- 
(y  =  n  —  2  =>  row  =  0)  A  (Vy  <  n,  At  <  col  —1  :  (y,  At)  G  Clear)  A  (Vy  <  y  :  (y,  col  —1)  G  Clear) 

{y  =  n  —  2=>\/g<n,  k<  col  :  (y,  At)  G  Clear) 


row  =  2  [((J  —  y  —  2)A 
A 
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(0  <  c  <  to)  A  ( |_^J  —  1  <  y  <  «  —  1)  A  (Zzme  mod  cycZe  =  0)  A  (0  <  coZ  =  c  <  m)  A  (y  <  n  —  2  =>  row  =  2  —  y 

(y  =  n  —  2  =>  row  =  0)  A  (Vy  <  n,  At  <  col  —1  :  (y,  At)  G  Clear)  A  (Vy  <  y  +  1  :  (y,  coZ  —1)  G  Clear)  A 
{y  =  n  —  2  =>  (n  —  1,  coZ  —  1)  G  Clear) 
y  <-  V  +  1 
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(0  <  c  <  to)  A  ( [|J  <  y  <  n)  A  {time  mod  cycZe  =  0)  A  (0  <  coZ  =  c  <  to)  A  (y  <  n  —  1  =>  row  =  2  —  y  —  1)A 

(y  =  n  —  1  =>  row  =  0)  A  (Vy  <  n,  At  <  col  —1  :  (y,  At)  G  Clear)  A  (Vy  <  y  :  (y,  coZ  —1)  G  Clear)  A 
(y  =  n  —  1  =>  (n  —  1,  coZ  —  1)  G  Clear) 

end  do 

(0  <  c  <  to)  A  (y  =  n  —  1  <  n)  A  {time  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A 
(Vy  <  n,  At  <  coZ  —1  :  (y,  At)  G  Clear)  A  (Vy  <  y  :  (y,  col  —1)  G  Clear)  A  >  > 

((n  —  1,  col  —1)  G  Clear) 


(32)  A  -i(y  < 
f(cr)  =  n  —  i 


(  {time  mod  cycZe  =  0)  A  (0  <  col  =  c  <  to)  A  (0  <  row  =  0  <  n)  A 
\  (Vy  <  n,  At  <  col  :  (y,  At)  G  Clear) 


>  postcondition 


J.  Derivation  of  Grow-BottomI  in  Figure  27 
We  assume  the  time  is  initially  to- 

(  ( speed  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  )  A  ( time  mod  cycle  =  0)  A  ( time  =  to)  A  (0  <  col  =  c  <  m)  A 

(  (0  <  row  =  y  <  n)  A  (Vp  <  n,  k  <  col  :  (g,  n)  £  Clear)  A  (Vp  :  n  —  y  <  g  <  n  :  (p,  col)  £  Clear) 


[>  preconditic 


tj-  v_  Kjieur)  /\ 


1  move  S  y 


2  move  E  1 


( cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  |_^J )  A  (to  mod  cycle  =  0)  A  ( time  =  to)  A 

(0  <  col  =  c  <  m)  A  (0  <  row  =  y  <  n)  A  ({(p,  n)\g  <  n,  k  <  c}  U  {(p,  c)\n  —  y  <  g  < 

((to  +  y)  div  cycle  =  to  div  cycle) 

ve  S  y 

(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  [^J )  A  (to  mod  cycle  =  0)  A  (time  =  to  +  y)  A  (0  <  col  =  c  < 

(0  <  row  =  0  <  n)  A  ({(p,  n)\g  <  n,  k  <  c}  U  {(p,  c)| g  <  y}  U  {(p,  c)\n  —  y  <  g  <  n}  C  Clear)  A 

((to  +  V  +  1)  div  cycle  =  (to  +  y)  div  cycle) 

VP  F  1 


m 


0  A 


1)  A  (y  <  [t|J  )  A  (to  mod  cycle  =  0)  A  (time  =  to  +  y  +  1)  A  (0  <  col  =  c  +  1  <  m)  A 
t)|p  <  n,  k  <  c]  U  {(p,  c)\g  <  y}  U  {(p,  c)\n  —  y  <  g  <  n}  U  {(0,  c  +  1)}  C  Clear)  A 

j.  i  i  i  \  _ 7„\ 


(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  [^J )  A  (to  mod  cycle  =  0)  A  (til 

(0  <  row  =  0  <  n)  A  ({(g,  n)\g  <  n,  k  <  c}  U  {(g,  c)\g  <  y}  U  {(p,  c)|r 

((to  +  2y  +  2)  div  cycle  =  (to  +  y  +  1)  div  cycle) 

move  N  y  +  1 

(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  [^J )  A  (to  mod  cycle  =  0)  A 

(time  =  t0  +  2y  +  2)  A  (0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  y  +  1  <  n)  A 

({(£>,  k) |p  <  n,  k  <  c}  U  {(p,  c)\g  <  y}  U  {(g,  c)\n  —  y  <  g  <  n}  U  {(p,  c  +  l)|p  <  y  +  1}  C  Clear)  A 

// j.  i  o..  i  o\  _ {j.  i  o..  i 


4  move  w  1 


(U0,«;|  Q  <n,K<c\  U  {{g,c)\g  <y\  U  {(g,c)\n 
((to  +  2y  +  3)  div  cycle  =  (to  +  2y  +  2)  div  cycle) 

ve  W  1 


ve  w  1 

(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  )  A  (to  mod  cycle  =  0)  A 

(time  =  to  +  2y  +  3)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  y  +  1  <  n)  A 


/  \  /  Lz  J  '  v 

=  to  +  2 y  +  3)  A  (0  <  col  =  c  <  in)  A  (0  ^  ruw  —  y  - r  i  s  it;  /  \ 

}  U  {(p,  c  +  l)|p  <  y  +  1}  C  Clear)  A 


i  j  /  \  yu  .  ;  u )  /  \  yu  /  ulv  —  yn-x  \  / 

({(£>,  «)|e  <  n,  k  <  c}  U  {(g,c)\g  <  y  +  1}  U  {(p,c)|n  -y<g<n 

'''  rip  =  (tn  -I-  277  -I-  31  div  ciir.l.e\ 


({(p,  K)|p  <  n,n  <  c\  U  Up,c)|£»  <  y  +  1)  U  {(p, 

((to  +  n  +  1)  div  cycle  =  (to  +  2y  +  3)  div  cycle) 
move  N  n  —  2y  —  2 

(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  [^J )  A  (to  mod  cycle  =  0)  A 
(time  =  to  +  n  +  1)  A  (0  <  col  =  c  <  m)  A  (0  <  row  —  n  ~  y  —  1  <  n)  A 


77  -r  L)  /\  yc  ^  in  —  L)  /\  yy  ^ j  )  /\  ^o 
(time  =  to  +  n  +  1)  A  (0  <  col  =  c  <  m)  A  (0  <  iu  uj  —  1 1  —  y  —  x  s  io)  /  \ 

({(p,  n)\g  <  n,  k  <  c}  U  {(p,  c)\g<n-y-l}\J  {(p,  c)\n  —  y  <  g  <  n}  U  {(p,  c  +  l)|p  <  y  +  1}  C  Clear) 


{(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  [^J )  A  (to  mod  cycle  =  0)  A  (time  =  to  +  n  +  1)  A 

(0  <  col  =  c  <  m)  A  (0  <  row  =  n  —  y  —  1  <  n)  A  ({(g,  k)| g  <  n,  k  <  c}  U  {(p,  c  +  l)|g  <  y  +  1}  C  Clear)  A 
(\/g  :  y  +  2  <  g  <  n  :  e-adjacent((p,  c  +  1),  (g,  c)))  A  (\/g  :  g  <  y  +  1  :  e-adjacent((p,  c  +  2),  (g,  c  +  1)))  A 
(e-adjacent((c  +  1  ,y  +  2),  (c, y  +  1)))  A  ((to  +  cycle)  div  cycle  =  (to  +  n  +  1)  div  cycle  +1) 


6  evader-move 

J  (cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  [§J )  A  ((to  +  cycle)  mod  cycle  =  0)  A  (time  =  to  +  cycle)  A 

(  (0  <  col  =  c  <  m)  A  (0  <  row  =  n  —  y  —  1  <  n)  A  ({(g,  «)|f)  <  n,  k  <  c}  U  {(p,  c)|p  <  y  +  1}  C  Clear) 

=> 

J  (time  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  n  —  y  —  1  <  n)  A 

(  (\/g  <  n,  k  <  col  :  (g,  k)  £  Clear)  A  (\/g  <  y  :  (g,  col)  £  Clear) 


t>  postcondition 


K.  Derivation  of  Grow-TopI  in  Figure  28 

We  make  use  of  the  observation  in  Appendix  A.2.c  that  Rule  (11)  can  be  treated  as  Rule  (10)  in 
which  the  else  block  consists  only  of  a  no-op;  we  use  this  to  simplify  the  derivation  by  expanding 
the  algorithm’s  if  construct  to  include  a  no-op-only  else  block. 

We  assume  the  time  is  initially  to. 

j  ( speed  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  [§J )  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A 
(  (0  <  row  =  n  —  y  —  1  <  n)  A  (Vp  <  n,n  <  col  :  (p,  k)  £  Clear )  A  (Vp  <  y  :  (p,  col)  £  Clear) 


\>  precondition 


( cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  [^J )  A  (to  mod  cycle  =  0)  A  ( time  =  to)  A 

(0  <  col  =  c  <  m)  A  (0  <  row  =  n  —  y  —  1  <  n)  A  ({(p,  fc)|p  <  n,  k  <  c}  U  {(p,  c)  |p  <  y}  C  Clear)  A 

((to  +  y)  div  cycle  =  to  div  cycle) 

move  N  y 

( cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  [^J )  A  (to  mod  cycle  =  0)  A  (time  =  fo  +  y)  A  (0  <  col  =  c  <  m)  A 

(0  <  row  =  n  —  1  <  n)  A  ({(p,  n)  |p  <  n,  n  <  c}  U  {(p,  c)|p  <  y}  U  {(p,  c)|n  —  y  —  1  <  p  <  n)  C  Clear)  A 

((to  +  2/  +  1)  div  cycle  =  to  +  ydiv  cycle) 

move  E  1 

(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  [^J )  A  (t0  mod  cycle  =  0)  A 
(time  —  to  +  y  +  1)  A  (0  <  col  =  c  +  1  <  m)  A  (0  <  row  =  n  —  1  <  n)  A 

({ (p,  «)|p  <  n,  k  <  c}  U  { (p,  c)|p  <  y}  U  { (p,  c)|n  —  y  —  1  <  p  <  n}  U  {(n  —  1,  c  +  1)}  C  Clear)  A 

((fo  +  2y  +  2)  div  ct/cfe  =  fo  +  2/  +  1  div  cycle) 

move  S  y  +  1 

(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  )  A  (to  mod  cycle  =  0)  A 

(time  =  to  +  2y  +  2)  A  (0  <  col  =  c  +  1  <  to)  A  (0  <  row  =  n  —  y  —  2  <  n)  A 

({ (p,  k)\q  <  n,  k  <  c}  U  { (p,  c)|p  <  y}  U  { (p,  c)|n  —  y  —  1  <  p  <  n}  U  {(p,  c  +  l)|n  —  y  ~  2  <  p  <  n}  C  Clear)  A 

((fo  +  2y  +  3)  div  ct/cfe  =  fo  +  2y  +  2  div  cycle) 

move  w  1 

(cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  )  A  (t0  mod  cycle  =  0)  A 

(time  =  fo  +  2y  +  3)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  n  —  y  —  2<n)A 

({ (p,  «)|p  <  n,  k  <  c}  U  {(p,  c)|p  <  p}  U  { (p,  c)|n  —  y  —  2  <  p  <  n}  U  {(p,  c  +  l)|n  —  y  —  2  <  p  <  n}  C  Clear) 

>  need  a  more  elegant  mechanism  there,  for  referencing  later 
if  n  >  2y  +  3 

then 

>  (y<  Lf  J)  A(n>2j/  +  3)=^§>2/+|^LfJ>2f  +  1 


5 

6 


{{cycle  >  n  +  1)  A  (c  <  m  —  1)  A  (y  <  —  1)  A  {to  mod  cycle  =  0)  A 

{time  =  to  +  2y  +  3)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  n  —  y  —  2  <  n)  A 
({(ft  k)\q  <  n,  k  <  c}  U  {(^,  c)|p  <  y}  U  {(ft  n)\n  —  y  —  2  <  g  <  n,  c  <  k  <  c  +  1}  C  Clear)  A 
((to  +  n)  div  cycle  =  to  +  2y  +  3  div  cycle ) 

7  move  S  n  —  2y  —  3 

{cycle  >  n  +  1)  A  (c  <  m  —  1)  A  {y  <  —  1)  A  {to  mod  cycle  =  0)  A 

{time  =  to  +  n)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  y  +  1  <  n)  A 

({(ft  k)\q  <  n,  k  <  c}  U  {(g),  c)|p  <  y}  U  {(ft  c)\y  +  1  <  g  <  n}  U  {(ft  c  +  l)|n  —  y  —  2  <  g  <  n}  C  Clear) 
\>  (0  <  row  =  y  +  1  <  n)  =  (0  <  row  =  y  +  1  <  n)  A  TRUE 
>  TRUE  =  (false  =>  row  =  y) 

\>  (0  <  row  =  y  +  1  <  n)  =  (true  =>  row  =  y  +  1) 


|  t>  {A)  A  (n  >  2y  +  3) 
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{cycle  >  n  +  1)  A  (c  <  m  —  1)  A  {y  <  —  1)  A  (to  mod  cycle  =  0)  A 

{to  <  time  <to  +  n+  l<io  +  cycle)  A  (0  <  col  =  c  <  m)  A  {y  <  [^]  —  1  =>  row  =  y  +  1)A 

{y  =  |"f]  —  1  =>  row  =  y)  A  ({(ft  k)  \g  <  n,  k  <  c]  U  {(ft  c  +  l)|?i  —  y  —  2  <  g  <  n}  C  Clear) 

else 

>  ({y  <  Li J ) A  Hn  >  2v  +  3)  =>  f  <  y  +  |  =>  Lf  J  ^  v  +  x)  ^  v  =  LS J  -  1 

{{cycle  >  n  +  1)  A  (c  <  m  —  1)  A  {y  =  —  1)  A  (to  mod  cycle  =  0)  A 

{time  =  to  +  2y  +  3)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  n  —  y  —  2  <  n)  A 
({(g,  n)\g  <  n,  k  <  c}  U  {(ft  c)\g  <  y}  U  {(ft  k)|tz  —  y  —  2  <  g  <  n,  c  <  k  <  c  +  1}  C  Clear) 

>  is-even(n)  =>  {y  =  [§]  —  1)  A  (n  —  y  —  2  =  y) 

>  is-odd(n)  =>  {y  =  |~§"|  -  2  <  [~§]  -l)A(n-y-2  =  j/  +  l) 
no-op 

{cycle  >  n  +  1)  A  (c  <  m  —  1)  A  {y  <  —  1)  A  (to  mod  cycle  =  0)  A 

(to  <  time  =  to  +  2  +  1  <  t0  +  ?i  +  1  <  to  +  cycle) A 

(0  <  col  =  c  <  to)  A  (y  <  |"! ]  —  1  =>  row  =  y  +  1)  A  (y  =  [§]  —  1  =>  row  =  3/) A 
({(ft  «)|p  <  n,  k  <  c}  U  {(0,  c  +  l)|n  —  y  —  2  <  p  <  ?z}  C  Clear) 

end  if 


>  (®) 


O  (^7)  A  ->(n  >  2y  +  3) 


(®)  => 

{{cycle  >  n  +  1)  A  (c  <  m  —  1)  A  {y  <  [^1  —  1)  A  (<o  mod  cycle  =  0)  A  (to  <  time  <  to  +  cycle)  A  (0  <  col  =  c  <  m)  A 

{y  <  [{{]  —  1  =>  row  =  y  +  1)  A  {y  =  (^]  —  1  =>  row  =  y)  A  ((to  +  cycle)  div  q/cfe  =  time  div  q/cfe  +1)  A 

({(p,  k)\q  <  n,  n  <  c}  U  {(ft  c  +  l)|n  —  y  —  2  <  p  <  ?x}  C  Clear)  A  (Vp  :  g  <  n  —  y  —  2  :  e-adjacent((p,  c  +  1),  (p,  c)))  A 
(Vp  :n  —  y  —  2<g<n:  e-adjacent((ft  c  +  2),  (p,c+  1)))  A  (e-adjacent((c  +  1,  n  —  y  —  2),  (c,  n  —  y  —  3))) 

evader-move 

{{cycle  >  n  +  1)  A  (c  <  m  —  1)  A  {y  <  —  1)  A  ((to  +  cycle)  mod  cycle  =  0)  A  {time  =  to  +  cycle)  A  'l 

(0  <  col  =  c  <  m)  A  {y  <  |"|]  —  1  =>  row  =  y  +  1)  A  {y  =  |"^]  —  1  =>  row  =  3/) A  > 

({(ft  n)\g  <  n,  k  <  c}  U  {(g,  c)|n  —  y  —  1  <  g  <  n}  C  Clear)  \ 


(  {time  mod  cycte  =  0)  A  (0  <  col  =  c  <  m)  A  {y  <  |" | ]  —  1  =>■  row  =  y  +  1)  A  {y  =  —  1  =>  row  =  j/)A 

{  (y g  <  n,  k  <  col  :  (ft  k)  £  Clear)  A  (Vp  :  n  —  y  —  1  <  g  <  n  :  {g,  col)  £  Clear) 


O  postcondi 


L.  Derivation  of  Transition  in  Figure  29 
We  assume  the  time  is  initially  to. 

(  ( speed  >  n  +  1)  A  (0  <  c  <  to)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  c  —  1  <  m)  A  (0  <  row  =  [|]  —  1  <  n)  A 
(  (Vf)  <  n,  k  <  col  :  (g,  k)  £  Clear)  A  (Vf)  :  row  <  g  <  n  :  (g,  col )  £  Clear) 


>  preci 


(cycle  >n+l)  v  7  _ 

U0  <  row  =  [f  ]  —  1  <  n)  A  ({(f),  k)\q  <  n,  k  <  c  —  1}  U  {(f),  c  —  1)|  [f  ]  <  g  <  n}  C  Clear)  A  i 
(to  +  [f~|  —  1)  div  ct/cfe  =  to  div  cycle)  J 

move  s  [f  ]  —  1 

{(cycle  >  n  +  1)  A  (0  <  c  <  m)  A  (to  mod  ct/cfe  =  0)  A  (time  =  to+fil-l)A 

(0  <  col  =  c  —  1  <  to)  A  (0  <  row  =  0  <  n)  A  ({(f),  «)|f)  <  n,  k  <  c  —  1}  U  {(f),  c  —  1) |0  <  g  <  n}  C  Clear)  A 
((to  +  [f  1 )  div  cycle  =  (t0  +  ]  -  1)  div  cycle) 

move  E  1 

{(cycle  >  n  +  1)  A  (0  <  c  <  m)  A  (to  mod  cycle  =  0)  A  ( time  =  to+ffl)A  ) 

(0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(f),  n)\g  <  n,  n  <  c  —  1}  U  {(0,  c)}  C  Clear)  A  > 

((to  +  [f  1  +  Lf  J )  div  cycle  =  (to  +  [f  ] )  div  cycle)  J 

move  N  [f  J 

{(cycle  >  n  +  1)  A  (0  <  c  <  m)  A  (to  mod  cycle  =  0)  A  (time  =  to  +  n)  A  (0  <  col  =  c  <  m)  A  'l 
(0  <  row  =  [|J  <  n)  A  ({(f),  «)|f)  <  n,  n  <c  —  1}  U  {(f),  c)|f)  <  —  Clear)  A  > 

((to  +  n  +  1)  div  cycle  =  (to  +  n)  div  cycle)  J 

move  s  1 

(  (cycle  >  n  +  1)  A  (0  <  c  <  m)  A  (to  mod  cycle  =  0)  A  (time  =  to  +  n  +  1)  A  (0  <  col  =  c  <  m)  A  ) 

I  (0  <  row  =  [|J  —  1  <  n)  A  ({(f),  ic)|f)  <  n,  k  <  c  —  1}  U  {(f),  c)\g  <  fJ}C  Clear)  A  I 

|  (Vf)  :  [f  J  +  1  <  g  <  n  :  e-adjacent((f),  c),  (g,  c  —  1)))  A  (Vf)  :  g  <  [f  :  e-adjacent((f),  c  +  1),  (g,  c)))  A  | 

[  (e-adjacent((c,  [f  J  +  1),  (c  —  1,  [f  J)))  A  ((to  +  cycle)  div  cycle  =  time  div  cycle  +1)  J 

evader-move 

J  (cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ((to  +  cycle)  mod  cycle  =  0)  A  (time  =  to  +  cycle)  A  (0  <  col  =  c  <  m)  A 

\  (0  <  row  =  [f  J  —  1  <  n)  A  ({(f),  «)|f)  <  n,  k  <  c  —  1}  U  { (g»,  c  —  l)|f)  <  [f  J  —  1}  U  {([|J  —  1 ,  c) }  C  Clear) 


\  yyj  \  ■ 

-  i  < 


■  1)|  ff]  <  f?  <  «}  C  Clear) 


{  ((to 

move  N 


-  i,  [2  J ) ) )  A  Um  T-  cj/cie j  uiv  cj/cie  =  ume  uiv  cycle  -1-1 )  j 

)  A  ((to  +  cycle)  mod  cycle  =  0)  A  (time  =  to  +  cycle)  A  (0  <  col  =  c  <  m)  A  1 
{(p,K)|f»  <  n,K  <  c—  1}  U  { (g», c  —  l)|f)  <  [|J  —  1}  U  {([f  J  —  1 , c) }  C  Clear)  J 


J  (time  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  [f  J  —  1  <  n)  A 
(  (Vf)  <  n,  k  <  col  —1  :  (f),  k)  £  Clear)  A  (Vf)  <  row  :  (g,  col  —1)  £  Clear) 


[>  postcondition 


M.  Derivation  of  GROW-TOP2  in  Figure  30 
We  assume  the  time  is  initially  to. 

j  { speed  >  n  +  1)  A  (0  <  c  <  to)  A  ( |_§J  <  y  <  n  —  1)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  c  <  in)  A 
\  (0  <  row  =  2  |_f  J  —  y  —  1  <  n)  A  ( \/g  <  n,n  <  col  —  1  :  ( g ,  k)  G  Clear )  A  (\/g  <  y  :  {g,  col  —1)  G  Clear ) 


O  preconditioi 


( cycle  >  n  +  1)  A  (0  <  c  <  ?n)  A  ( |_§J  <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  ( time  =  to)  A 

(0  <  col  =  c  <  in)  A  (0  <  row  =  2  —  y  —  1  <  n)  A  ({(g,  «)|p  <  n,  k  <  c  —  1}  U  {(£>,  c  —  1)|£>  <  y}  C  Clear)  A 

((t0  +  2  {y  —  [^J )  +  1)  div  cycle  =  t0  div  cycle) 
move  N  2  (y  —  [f  J)  +  1 

( cycle  >  n  +  1)  A  (0  <  c  <  in)  A  ( |_§J  <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  ( time  =  to  +  2y  —  2  +  l)  A 

({(£>,  «)l£»  <n,n<c-  1}  U  {{g,c-l)\g  <  y}  U  {(p,c) |2  |_f  J  -  2/  -  1  <  Q  <  y}  Q  Clear)  A 
(0  <  col  =  c  <  in)  A  (0  <  row  =  y  <  n)  A  ((to  +  2y  —  2  [^j  +  2)  div  cycle  =  (to  +  2y  —  2  +  1)  div  cycle) 

move  w  1 

( cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ( <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  ( time  =  to  +  2y  —  2  +  2)  A 

({(£>,  «)|0  <  n,K  <  c~  1}  U  {{g,c-l)\g  <  y}  U  {(p,  c)|2  |_f  J  -  y  -  1  <  Q  <  y)  C  Clear)  A 

(0  <  col  =  c  —  1  <  to)  A  (0  <  row  =  y  <  n)  A  ((to  +  y  +  n  —  2  [^J  +  1)  div  ct/cte  =  (to  +  2y  —  2  [^J  +  2)  div  cycle) 
move  N  n  —  y  —  1 

{cycle  >  n  +  1)  A  (0  <  c  <  in)  A  ( |_§ J  <  y  <  n.  —  1)  A  (<o  mod  cycle  =  0)  A  ( time  =  to  +  y  +  n  —  2  +  l)  A 

({(p,  k)|^  <  n,  k  <  c  —  1}  U  {(p, c  —  l)|p  <  n  —  1}  U  {(p,  c) 1 2  —  y  —  1  <  g  <  y}  C  Clear)  A 

(0  <  col  =  c  —  1  <  to)  A  (0  <  row  =  n  —  1  <  n)  A  ((to  +  y  +  n  —  2  +  2)  div  ct/cfe  =  (to  +  V  +  ti  —  2  +  1)  div  eye 

move  E  1 

{cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ( <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  {time  =  to  +  y  +  n  —  2  +  2)  A 

({({?,  k)  |  g  <  n,K  <  c}U  {{g,c)\2  [|J  —  y  —  1  <  g  <  y}  U{(n  —  1,  c)}  C  Clear)  A 

(0  <  col  =  c  <  in)  A  (0  <  row  =  n  —  1  <  n)  A  ((to  +  2n  —  2  )  div  cycle  =  (to  +  y  +  n  —  2  [^J  +  2)  div  cycle) 

move  s  n  —  y  —  2 

{cycle  >  n  +  1)  A  (0  <  c  <  in)  A  ( |_§ J  <  y  <  n  —  1)  A  (to  mod  ct/cfe  =  0)  A  {time  =  to  +  2ffl)A 
({(£>,  k)\q  <  n,  k  <  c}  U  {(£>,c)|2  [I J  -  y  -  1  <  g  <  y)  U  {(p,  c)\y  +  1  <  g  <  n}  C  Clear)  A 
(0  <  col  =  c  <  in)  A  (0  <  row  =  y  +  1  <  n)  A  ((to  +  cycle)  div  cycle  =  (to  +  2  |"^] )  div  cycle  +l)  A 
Vp  :  0  <  g  <  2  |_§ J  —  y  —  1  :  e-adjacent((p,  c),  (p,  c  —  1)))  A 

\/g  :  2  LfJ  —  y  —  1  <  g  <n  :  e-adjacent((p,  c  +  1),  ( g ,  c)))  A  (e-adjacent((c,  2  [|J  —  y  —  2),  (c  —  1, 2  |_§  J  —  y  —  1))) 

evader-move 


{cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ( |_§ J  <  y  <  n  —  1)  A  ((t0  +  q/cte  mod  cycle  =  0)  A 

{time  =  to  +  cycle)  A  (0  <  col  =  c  <  in)  A  (0  <  row  =  y  +  1  <  n)  A 

({(p,  K)|g  <  n,  k  <  c  —  1}  U  {(g,  c  —  1) |2  [|j  —  y  <  g  <  n)  U  {{y  +  1, c)}  C  Clear) 

=> 

J  {time  mod  cycle  =  0)  A  (0  <  col  =  c  <  in)  A  (0  <  row  =  y  +  1  <  n)  A 

(  (Vg  <  n,K  <  col  —1  :  {g,  n)  G  Clear)  A  (Vp  :  2  [^j  —  y  <  g  <  n  :  {g,  col  —1)  G  Clear) 


t>  postcondition 


N.  Derivation  of  GROW-BOTTOM2  in  Figure  31 

We  make  use  of  the  observation  in  Appendix  A.2.c  that  Rule  (11)  can  be  treated  as  Rule  (10)  in 
which  the  else  block  consists  only  of  a  no-op;  we  use  this  to  simplify  the  derivation  by  expanding 
the  algorithm’s  if  construct  to  include  a  no-op-only  else  block. 

We  assume  the  time  is  initially  to- 


( speed  >  n  +  1)  A  (0  <  c  <  m)  A  ( |_f  J  <  y  <  n  —  1)  A  ( time  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A 
(0  <  row  =  y  +  1  <  n)  A  (Vp  <  n,  k  <  col  —1  :  (p,  k)  €  Clear )  A 
(Vp  :  2  [^J  —  y  <  Q  <  n  :  (p,  col  —1)  €  Clear ) 


>  precondition 


( cycle  >  n  +  1)  A  (0  <  c  <  in)  A  ( [^J  <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  ( time  =  to)  A  (0  <  col  =  c  <  m)  A 
(0  <  row  =  7/4-1  C  77.1  A  (I In.  k.1  I  n  <  n  k  <"  o  —  1  f  I  I  -f  1/7.  r  —  1 1 12  I  A  —  7/  <  o  77  f  C  Clear )  A 


ycyccc  x  it  t  /  \  s.  l  v  //ty  /\  \^  ^  j  \  y  ^  u  —  /\  liluu  cyccc  —  /\  yuonoc  —  <^0/  /x  —  L'Ui 

(0  <  row  =  y  +  1  <  ?r)  A  ({(p,  k)\q  <  n,  k  <  c  —  1}  U  {(p,  c  —  1) |2  J  —  y  <  p  <  n}  C  Clear)  A 

((to  +  2  (y  —  L§J  +  l))  div  cycle  =  to  div  cycle) 
move  S  2  (y  -  |_§ J  +  l) 

(cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ( <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  ( time  =  to  +  2y  —  2  [(|J  +  2)  A 
({(p,  «)|p  <  <  c  -  1}  U  {(p,c-  1)|2  LfJ  -  y  <  p  <  n}  U  {(p,c)|2  L?J  —  y  -  1  <  p  <  y  +  1}  c  Clear)  A 

c  <  m)  A  (0  <  row  =  2  |_§ J  —  y  —  1  <  n)  A  ((to  +  2y  —  2  |_f  J  +  3)  div  cycle  =  (to  +  2y  —  2  |_§  j  +  2)  div  cycle 

ve  w  i 

(cycle  >  7i  +  1)  A  (0  <  c  <  m)  A  ( |_§J  <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  (time  =  to  +  2y  —  2  +  3)  A 

({(p,  «)|p  <  <  c  -  i}  U  {(p,c  -  i)|2  LfJ  -  y  -  1  <  p  <  n}  U  {(p,c) |2  LfJ  -  y  -  1  <  p  <  y  +  i}  c  Clear)  A 

(0  <  col  =  c  —  1  <  to)  A  (0  <  row  =  2  [^J  —  y  —  1  <  n)  A  ((to  +  y  +  2)  div  cycfe  =  (to  +  2y  —  2  [^J  +  3)  div  cycle) 

ve  s  2  L§ J  -  y  -  1 


2  move  w  1 


move 


4  move  E  1 


vc  s  z  1 2  j  _  v  ~ 1 

(cycle  >n+l)A(0<c<m)A(  |_§J  <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  (time  =  to  +  y  +  2)  A 
({(p,  «)|p  <  n,  k  <  c}  U  { (p,  c)|2  LfJ  -  y— l<p<y  +  l}c  Clear)  A 
(0  <  col  =  c  —  1  <  to)  A  (0  <  row  =  0  <  n)  A  ((to  +  y  +  3)  div  cycfe  =  (to  +  y  +  2)  div  cycle) 

C  1 


(  (cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ( |_§J  <  y  <  n  —  1)  A  (to  mod  cycfe  =  0)  A  (time  =  to  +  y  +  3)  / 

(  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  ({(p, k)|p  <  n,  k  <  c}  U  {(0, c)}  U  { (p,  c)|2  |_§  J  —  y  —  1  <  p  < 

if  y  <  2(  [f  J  —  1) 

then 

(cycle  >  n  +  1)  A  (0  <  c  <  to)  A  ( <  y  <  2  —  2)  A  (to  mod  cycZe  =  0)  A 

(time  =  to  +  y  +  3)  A  (0  <  col  =  c  <m)  A  (0  <  row  =  0  <  n)  A 
({ (p,  k)\q  <  n,  k  <  c}  U  {(0,  c)}  U  {(p,  c)|2  [|J  -  y— l<p<y  +  l}c  Clear)  A 

((t0  +  2  +  1)  div  cycle  =  (t0  +  y  +  3)  div  cycle) 


C  Clt 


>  (©)A(y<2([fJ  -1)) 


7 


move  N  2  [|J  —  y  —  2 

(  {cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ( <  y  <  2  [^J  —  2)  A  {to  mod  cycle  =  0)  A 

<  (to  <  to  +  n  <  time  <to  +  n  +  l<to  +  cycle)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  2  —  y  —  2  <  n)  A 

[  ({(£>, «)  |p  <  n,K  <  c}  U  {((O,  c)  |0  <  £>  <  2  Lf  J  -  y  -  2}  U  {(p,c)|2  [§  J  -  2/-l<£»<2/+l}c  Clear) 

>  is-even(n)  A  {y  =  n  —  2)  =>  2  [|]  —  y  —  2  =  0 
[>  is-odd(n)  A  {y  <  2(  [|J  —  l)=>y<n  —  3<n  —  2 


8 


{{cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ( j  <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  ) 

{to  <  to  +  n  <  time  <  to  +  n  +  1  <  to  +  cycle)  A  (0  <  col  =  c  <  m)  A  {y  <  n  —  2  =>  row  =  2  —  y  —  2) A  >  >  (e) 

(y  =  n  —  2  =>  row  =  0)  A  ({(g,  k)|p  <  n,  k  <  c}  U  {(p,  c) 1 0  <  y  <  y  +  1}  C  Clear)  J 

else 

{{cycle  >  n  +  1)  A  (0  <  c  <  m)  A  (2  [^J  —  2  <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  'j 

{time  =  t0  +  y  +  3)  A  (0  <  col  =  c  <  m)  A  (0  <  row  =  0  <  n)  A  >>(£>)  A  ~>{y  <  2(  [|J  —  1)) 

({(£>,  «)|e  <n,K<c}U  {(0,c)}  U  {(p,c)|2  [§J  -  y  -  1  <  g  <  y  +  1}  C  Clear)  J 
[>  is-even(n)  =>  2  —  2  =  n  —  2  y  =  n  —  2^2  [|J  —  y  —  1  =  1 

t>  is-odd(?r)  =>  2  [|J  —  2  =  n  —  3=>n  —  3<y<n— 2^-2  [|J  -  j/  -  1  £  {0, 1} 

[>  is-odd(n)  A)/  =  n-  3^0  =  2  [|J  —  y  —  2 
no-op 

{{cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ( <  y  <  n  —  1)  A  (to  mod  cycle  =  0)  A  'l 

(to  <  to  +  n  <  time  <to  +  n  +  l<to  +  cycle)  A  (0  <  col  =  c  <  m)  A  {y  <  n  —  2  =>  row  =  2  [|J  —  y  —  2)  A  >  >  (£) 
{y  =  n  —  2  =>  row  =  0)  A  ({(p,  «)|p  <  n,  k  <  c}  U  {(p,  c) 1 0  <  g  <  y  +  1}  C  Clear)  J 

end  if 


(£)  => 

{{cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ( |_(|J  <  y  <  n  —  1)  A  (to  mod  cycie  =  0)  A  (to  <  time  <  to  +  cycle)  A  (0  <  col  =  c  <  m 
{y  <  n  —  2  =$■  row  =  2  —  y  —  2)  A  (y  =  n  —  2  =>  row  =  0)  A  ((to  +  cycle)  div  cycie  =  time  div  cycle  +1)  A 

({(p,  n)\g  <  n,  k  <  c}  U  {{g,  c)|0  <  g  <  y  +  1}  C  Clear)  A  {\/g  :  y  +  1  <  g  <  n  :  e-adjacent((g,  c),  {g,  c  —  1)))  A 
(Vp  :  0  <  g  <  y  +  1  :  e-adjacent((p,  c  +  1),  (g,  c)))  A  (e-adjacent((c,  y  +  2),  (c  —  1,  y  +  1))) 

evader-move 

{{cycle  >  n  +  1)  A  (0  <  c  <  m)  A  ( <  y  <  n  —  1)  A  ((to  +  cycle)  mod  cycle  =  0)  A  {time  =  to  +  cycle)  A  'l 
(0  <  col  =  c  <  m)  A  (y  <  n  —  2  =>  row  =  2  —  y  —  2)  A  {y  =  n  —  2=>  row  =  0)A  > 

({(£>,  «)|p  <  n,  k  <  c  —  1}  U  {(p,  c)|0  <  g  <  y  +  1}  C  Clear)  J 


{time)  mod  cycle  =  0)  A  (0  <  col  =  c  <  m)  A  (y  <  n  —  2  =>  row  =  2  —  y  —  2)A 

(y  =  n  —  2  =>  row  =  0)  A  (Vp  <  n,n  <  col  —1  :  {g,  k)  £  Clear)  A 

{\/g  <  y  :  {g,  col  —1)  £  Clear)  A  {y  =  n  —  2  =>\/g  <  n,  k  <  col  :  {g,  k)  £  Clear) 


[>  postcondition 


